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ETAPS Foreword 


Welcome to the proceedings of ETAPS 2018! After a somewhat coldish ETAPS 2017 
in Uppsala in the north, ETAPS this year took place in Thessaloniki, Greece. I am 
happy to announce that this is the first ETAPS with gold open access proceedings. This 
means that all papers are accessible by anyone for free. 

ETAPS 2018 was the 21st instance of the European Joint Conferences on Theory 
and Practice of Software. ETAPS is an annual federated conference established in 
1998, and consists of five conferences: ESOP, FASE, FoSSaCS, TACAS, and POST. 
Each conference has its own Program Committee (PC) and its own Steering Com- 
mittee. The conferences cover various aspects of software systems, ranging from 
theoretical computer science to foundations to programming language developments, 
analysis tools, formal approaches to software engineering, and security. Organizing 
these conferences in a coherent, highly synchronized conference program facilitates 
participation in an exciting event, offering attendees the possibility to meet many 
researchers working in different directions in the field, and to easily attend talks of 
different conferences. Before and after the main conference, numerous satellite work- 
shops take place and attract many researchers from all over the globe. 

ETAPS 2018 received 479 submissions in total, 144 of which were accepted, 
yielding an overall acceptance rate of 30%. I thank all the authors for their interest in 
ETAPS, all the reviewers for their peer reviewing efforts, the PC members for their 
contributions, and in particular the PC (co-)chairs for their hard work in running this 
entire intensive process. Last but not least, my congratulations to all authors of the 
accepted papers! 

ETAPS 2018 was enriched by the unifying invited speaker Martin Abadi (Google 
Brain, USA) and the conference-specific invited speakers (FASE) Pamela Zave (AT & 
T Labs, USA), (POST) Benjamin C. Pierce (University of Pennsylvania, USA), and 
(ESOP) Derek Dreyer (Max Planck Institute for Software Systems, Germany). Invited 
tutorials were provided by Armin Biere (Johannes Kepler University, Linz, Austria) on 
modern SAT solving and Fabio Somenzi (University of Colorado, Boulder, USA) on 
hardware verification. My sincere thanks to all these speakers for their inspiring and 
interesting talks! 

ETAPS 2018 took place in Thessaloniki, Greece, and was organised by the 
Department of Informatics of the Aristotle University of Thessaloniki. The university 
was founded in 1925 and currently has around 75,000 students; it is the largest uni- 
versity in Greece. ETAPS 2018 was further supported by the following associations 
and societies: ETAPS e.V., EATCS (European Association for Theoretical Computer 
Science), EAPLS (European Association for Programming Languages and Systems), 
and EASST (European Association of Software Science and Technology). The local 
organization team consisted of Panagiotis Katsaros (general chair), Ioannis Stamelos, 


VI ETAPS Foreword 


Lefteris Angelis, George Rahonis, Nick Bassiliades, Alexander Chatzigeorgiou, Ezio 
Bartocci, Simon Bliudze, Emmanouela Stachtiari, Kyriakos Georgiadis, and Petros 
Stratis (EasyConferences). 

The overall planning for ETAPS is the main responsibility of the Steering Com- 
mittee, and in particular of its Executive Board. The ETAPS Steering Committee 
consists of an Executive Board and representatives of the individual ETAPS confer- 
ences, as well as representatives of EATCS, EAPLS, and EASST. The Executive 
Board consists of Gilles Barthe (Madrid), Holger Hermanns (Saarbriicken), Joost-Pieter 
Katoen (chair, Aachen and Twente), Gerald Liittgen (Bamberg), Vladimiro Sassone 
(Southampton), Tarmo Uustalu (Tallinn), and Lenore Zuck (Chicago). Other members 
of the Steering Committee are: Wil van der Aalst (Aachen), Parosh Abdulla (Uppsala), 
Amal Ahmed (Boston), Christel Baier (Dresden), Lujo Bauer (Pittsburgh), Dirk Beyer 
(Munich), Mikolaj Bojanczyk (Warsaw), Luis Caires (Lisbon), Jurriaan Hage 
(Utrecht), Rainer Hahnle (Darmstadt), Reiko Heckel (Leicester), Marieke Huisman 
(Twente), Panagiotis Katsaros (Thessaloniki), Ralf Kiisters (Stuttgart), Ugo Dal Lago 
(Bologna), Kim G. Larsen (Aalborg), Matteo Maffei (Vienna), Tiziana Margaria 
(Limerick), Flemming Nielson (Copenhagen), Catuscia Palamidessi (Palaiseau), 
Andrew M. Pitts (Cambridge), Alessandra Russo (London), Dave Sands (Göteborg), 
Don Sannella (Edinburgh), Andy Schiirr (Darmstadt), Alex Simpson (Ljubljana), 
Gabriele Taentzer (Marburg), Peter Thiemann (Freiburg), Jan Vitek (Prague), Tomas 
Vojnar (Brno), and Lijun Zhang (Beijing). 

I would like to take this opportunity to thank all speakers, attendees, organizers 
of the satellite workshops, and Springer for their support. I hope you all enjoy the 
proceedings of ETAPS 2018. Finally, a big thanks to Panagiotis and his local orga- 
nization team for all their enormous efforts that led to a fantastic ETAPS in 
Thessaloniki! 


February 2018 Joost-Pieter Katoen 


Preface 


This volume contains the papers presented at the 21st International Conference on 
Foundations of Software Science and Computation Structures (FoSSaCS 2018), which 
was held April 16-19, 2018, in Thessaloniki, Greece. The conference is dedicated to 
foundational research with a clear significance for software science and brings together 
research on theories and methods to support the analysis, integration, synthesis, 
transformation, and verification of programs and software systems. 

The program consisted of 31 contributed papers, selected from among 103 sub- 
missions. Each submission was reviewed by at least three Program Committee mem- 
bers, with the help of external experts. After a three-day rebuttal phase, the selection 
was made based on discussions via the EasyChair conference management system, 
which was also used to assist with the compilation of the proceedings. 

We wish to thank all authors who submitted to FoSSaCS 2018, all the Program 
Committee members for their excellent work, and the external reviewers for their 
thorough evaluation of the submissions. In addition, we would like to thank the ETAPS 
organization for providing an excellent environment for FoSSaCS and other confer- 
ences and workshops. 
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Abstract. The hiding operation, crucial in the compositional aspect of 
game semantics, removes computation paths not leading to observable 
results. Accordingly, games models are usually biased towards angelic 
non-determinism: diverging branches are forgotten. 

We present here new categories of games, not suffering from this 
bias. In our first category, we achieve this by avoiding hiding altogether; 
instead morphisms are uncovered strategies (with neutral events) up to 
weak bisimulation. Then, we show that by hiding only certain events 
dubbed inessential we can consider strategies up to isomorphism, and 
still get a category — this partial hiding remains sound up to weak bisim- 
ulation, so we get a concrete representations of programs (as in standard 
concurrent games) while avoiding the angelic bias. These techniques are 
illustrated with an interpretation of affine nondeterministic PCF which 
is adequate for weak bisimulation; and may, must and fair convergences. 


1 Introduction 


Game semantics represents programs as strategies for two player games deter- 
mined by the types. Traditionally, a strategy is simply a collection of execution 
traces, each presented as a play (a structured sequence of events) on the corre- 
sponding game. Beyond giving a compositional framework for the formal seman- 
tics of programming languages, game semantics proved exceptionally versatile, 
providing very precise (often fully abstract) models of a variety of languages and 
programming features. One of its rightly celebrated achievements is the reali- 
sation that combinations of certain effects, such as various notions of state or 
control, could be characterised via corresponding conditions on strategies (inno- 
cence, well bracketing, ...) in a single unifying framework. This led Abramsky to 
propose the semantic cube programme [1], aiming to extend this success to fur- 
ther programming features: concurrency, non-determinism, probabilities, etc... 

However, this elegant picture soon showed some limitations. While indeed 
the basic category of games was successfully extended to deal with concurrency 
[10,13], non-determinism [11], and probabilities [9] among others, these exten- 
sions (although fully abstract) are often incompatible with each other, and really, 
incompatible as well with the central condition of innocence. Hence a semantic 
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hypercube encompassing all these effects remained out of reach. It is only recently 
that some new progress has been made with the discovery that some of these 
effects could be reconciled in a more refined, more intensional games framework. 
For instance, in [6,16] innocence is reconciled with non-determinism, and in [15] 
with probabilities. In [7], innocence is reconciled with concurrency. 

But something is still missing: the works above dealing with non-deterministic 
innocence consider only may-convergence; they ignore execution branches lead- 
ing to divergence. To some extent this seems to be a fundamental limitation of 
the game semantics methodology: at the heart of the composition of strategies 
lies the hiding operation that removes unobservable events. Diverging paths, by 
nature non-observable, are forgotten by hiding. Some models of must-testing 
do exist for particular languages, notably McCusker and Harmer’s model for 
non-deterministic Idealized Algol [11]; the model works by annotating strategies 
with stopping traces, recording where the program may diverge. But this app- 
roach again mixes poorly with other constructions (notably innocence), and more 
importantly, is tied to may and must equivalences. It is not clear how it could 
be extended to support richer notions of convergence, such as fair-testing [2]. 

Our aim is to present a basis for non-deterministic game semantics which, 
besides being compatible with innocence, concurrency, etc., is not biased towards 
may-testing; it is non-angelic. It should not be biased towards must-testing 
either; it should in fact be agnostic with respect to the testing equivalence, 
and support them all. Clearly, for this purpose it is paramount to remember the 
non-deterministic branching information; indeed in the absence of that infor- 
mation, notions such as fair-testing are lost. In fact, there has been a lot of 
activity in the past five years or so around games model that do observe the 
branching information. It is a feature of Hirschowitz’s work presenting strategies 
as presheaves or sheaves on certain categories of cospans [12]; of Tsukada and 
Ong’s work on nondeterministic innocence via sheaves [16]; and of our own line 
of work presenting strategies as certain event structures [5,7,14]. 

But observing branching information is not sufficient. Of the works mentioned 
above, those of Tsukada and Ong and our own previous work are still angelic, 
because they rely on hiding for composition. On the other hand, Hirschowitz’s 
work gets close to achieving our goals; by refraining from hiding altogether, 
his model constructs an agnostic and precise representation of the operational 
behaviour of programs, on which he then considers fair-testing. But by not con- 
sidering hiding he departs from the previous work and methods of game seman- 
tics, and from the methodology of denotational semantics. In contrast, we would 
like an agnostic games model that still has the categorical structure of traditional 
semantics. A games model with partial hiding was also recently introduced by 
Yamada [18], albeit for a different purpose: he uses partial hiding to represent 
normalization steps, whereas we use it to represent fine-grained nondeterminism. 


Contributions. In this paper, we present the first category of games and strate- 
gies equipped to handle non-determinism, but agnostic with respect to the 
notion of convergence (including fair convergence). We showcase our model 
by interpreting APCF,, an affine variant of non-deterministic PCF: it is the 
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simplest language featuring the phenomena of interest. We show adequacy with 
respect to may, must and fair convergences. The reader will find in the first 
author’s PhD thesis [3] corresponding results for full non-deterministic PCF 
(with detailed proofs), and an interpretation of a higher-order language with 
shared memory concurrency. In [3], the model is proved compatible with our 
earlier notions of innocence, by establishing a result of full abstraction for may 
equivalence, for nondeterministic PCF. We have yet to prove full abstraction in 
the fair and must cases; finite definability does not suffice anymore. 


Outline. We begin Sect. 2 by introducing APCF_. To set the stage, we describe 
an angelic interpretation of APCF, in the category CG built in [14] with 
strategies up to isomorphism, and hint at our two new interpretations. In Sect. 3, 
starting from the observation that the cause of “angelism” is hiding, we omit it 
altogether, constructing an uncovered variant of our concurrent games, similar 
to that of Hirschowitz. Despite not hiding, when restricting the location of non- 
deterministic choices to internal events, we can still obtain a category up to weak 
bistmulation. But weak bisimulation is not perfect: it does not preserve must- 
testing, and is not easily computed. So in Sect. 4, we reinstate some hiding: we 
show that by hiding all synchronised events except some dubbed essential, we 
arrive at the best of both worlds. We get an agnostic category of games and 
strategies up to isomorphism, and we prove our adequacy results. 


2 Three Interpretations of Affine Nondeterministic PCF 


2.1 Syntax of APCF 


The language APCF, extends affine PCF with a nondeterministic boolean 
choice, choice. Its types are A, B ::=B | A — B, where A — B represents affine 
functions from A to B. The following grammar describes terms of APCF ,: 


M,N :=x| MN |àx.M | tt | ff | if MN, No | choice | L 


Typing rules are standard, we show application and conditionals. As usual, 
a conditional eliminating to arbitrary types can be defined as syntactic sugar. 


FFM:A--B AFN:A r-M:B AFN:B At No:B 
T,AFMN:B T,AFif MN, No: 


The first rule is multiplicative: I and A are disjoint. The operational 
semantics is that of PCF extended with the (only) two nondeterministic rules 
choice — tt and choice — ff. 


2.2 Game Semantics and Event Structures 


Game semantics interprets an open program by a strategy, recording the 
behaviour of the program (Player) against the context (Opponent) in a 2- 
player game. Usually, the executions recorded are represented as plays, i.e. linear 
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sequences of computational events called moves; a strategy being then a set of 
such plays. For instance, the nondeterministic boolean would be represented as 
the (even-prefix closure of the) set of plays {q7 - tt*,q7 - f£*} on the game for 
booleans. In the play q7 - ttt, the context starts the computation by asking the 
value of the program (q7) and the program replies (ttt). Polarity indicates the 
origin (Program (+) or Opponent/Environment (—)) of the event. 

Being based on sequences of moves, traditional game semantics handles con- 
currency via interleavings [10]. In contrast, in concurrent games [14], plays are 
generalised to partial orders which can express concurrency as a primitive. For 
instance, the execution of a parallel implementation of and against the context 
(tt, tt) gives the following partial order: 


In this picture, the usual chronological linear order is replaced by an explicit 
partial order representing causality. Moves are concurrent when they are incom- 
parable (as the two Player questions here). Following the longstanding conven- 
tion in game semantics, we show which component of the type a computational 
event corresponds to by displaying it under the corresponding occurrence of 
a ground type. For instance in this diagram, Opponent first triggers the com- 
putation by asking the output value, and then and concurrently evaluates his 
two arguments. The arguments having evaluated to tt, and can finally answer 
Opponent’s initial question and provide the output value. 

In [7], we have shown how deterministic pure functional parallel programs 
can be interpreted (in a fully abstract way) using such representations. 


Partial-Orders and Non-determinism. To represent nondeterminism in this par- 
tial order setting, one possibility is to use sets of partial orders [4]. This rep- 
resentation suffers however from two drawbacks: firstly it forgets the point of 
non-deterministic branching; secondly, one cannot talk of an occurrence of a 
move independently of an execution. Those issues are solved by moving to event 
structures [17], where the nondeterministic boolean can be represented as: 


The wiggly line (~~) indicates conflict: the boolean values cannot coexist in an 
execution. Together this forms an event structure, defined formally later. 
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2.3 Interpretations of APCF, with Event Structures 


Let us introduce informally our interpretations by showing which event struc- 
tures they associate to certain terms of APCF ,. 


Angelic Covered Interpretation. Traditional game semantics interpretations 
of nondeterminism are angelic (with exceptions, see e.g. [11]); they only describe 
what terms may do, and forget where they might get stuck. The interpretation of 
M = (Ab. if btt L) choice for instance, in usual game semantics is the same as 
that of tt. This is due to the nature of composition which tends to forget paths 
that do not lead to a value. Consider the strategy for the function Ab. if btt L: 


B => B 


The interpretation of M arises as the composition of this strategy with 
the nondeterministic boolean. Composition is defined in two steps: interaction 
(Fig. la) and then hiding (Fig. 1b). Hiding removes intermediate behaviour which 
does not correspond to visible actions in the output type of the composition. 

Hiding is crucial in order for composition to satisfy basic categorical proper- 
ties (without it, the identity candidate, copycat, is not even idempotent). Strate- 
gies on event structures are usually considered up to isomorphism, which is the 
strongest equivalence relation that makes sense. Without hiding, there is no 
hope to recover categorical laws up to isomorphism. However, it turns out that, 
treating events in the middle as r-transitions (* in Fig. 1a), weak bisimulation 
equates enough strategies to get a category. Following these ideas, a category of 
uncovered strategies up to weak bisimilarity is built in Sect. 3. 


B B B 
q (-) q (-) q (-) 
ae (x) ae 
K 
kann Si (*) i KAN d (x) 
tt (+) tt (+) tt (+) 


(a) Interp. before hiding (b) Interp. after hiding (c) Interp. with partial hiding 


Fig. 1. Three interpretations of (Ab. if btt L) choice 
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Interpretation with Partial Hiding. However, considering uncovered strate- 
gies up to weak bisimulation blurs their concrete nature; causal information is 
lost, for instance. Moreover checking for weak bisimilarity is computationally 
expensive, and because of the absence of hiding, a term evaluating to skip may 
yield a very large representative. However, there is a way to cut down the strate- 
gies to reach a compromise between hiding no internal events, or hiding all of 
them and collapsing to an angelic interpretation. 

In our games based on event structures, having a non-ambiguous notion of an 
occurrence of event allows us to give a simple definition of the internal events we 
need to retain (Definition 9). Hiding other internal events yields a strategy still 
weakly bisimilar to the original (uncovered) strategy, while allowing us to get 
a category up to isomorphism. The interpretation of M in this setting appears 
in Fig. 1c. As before, only the events under the result type (not labelled x) are 
now visible, i.e. observable by a context. But the events corresponding to the 
argument evaluation are only partially hidden; those remaining are considered 
internal, treated like 7-transitions. Because of their presence, the partial hiding 
performed loses no information (w.r.t. the uncovered interpretation) up to weak 
bisimilarity. But we have hidden enough so that the required categorical laws 
between strategies hold w.r.t. isomorphism. The model is more precise and con- 
crete than that of weak bisimilarity, preserves causal information and preserves 
must-convergence (unlike weak bisimilarity). 

Following these ideas, a category of partially covered strategies up to iso (the 
target of our adequacy results) is constructed in Sect. 4. 


3 Uncovered Strategies up to Weak Bisimulation 


We now construct a category of “uncovered strategies”, up to weak bisimulation. 
Uncovered strategies are very close to the partial strategies of [8], but [8] focused 
on connections with operational semantics rather than categorical structure. 


3.1 Preliminaries on Event Structures 


Definition 1. An event structure is a triple (E, <g, Cong) where (E, <p) is 
a partial-order and Cong is a non-empty collection of finite subsets of E called 
consistent sets subject to the following axioms: 


Ife € E, the set [e] = {¢' € E | e' < e} is finite, 

- For alle € E, the set {e} is consistent, 

For all Y € Cong, for all X CY, then X € Cong. 

- If X € Cong ande < e' € X then X U {e} is consistent. 


A down-closed subset of events whose finite subsets are all consistent is called 
a configuration. The set of finite configurations of E is denoted € (E). If x € 
€ (E) and e ¢ x, we write e—C x! when 2! = rU {e} € @(E); this is the cover- 
ing relation between configurations, and we say that e gives an extension of x. 
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Two extensions e and e’ of x are compatible when zU {e, e’} € @(E), incom- 
patible otherwise. In the latter case, we have a minimal conflict between e 
and e’ in context x (written e~~,€¢’). 

These event structures are based on consistent sets rather than the more 
commonly-encountered binary conflict relation. Consistent sets are more general, 
and more handy mathematically, but throughout this paper, event structures 
concretely represented in diagrams will only use binary conflict, i.e. the relation 
e~~,e' does not depend on x, meaning e~~,e’ whenever y extends with e, 
and with e’ — in which case we only write e~~e’. Then consistent sets can be 
recovered as those finite X C E such that 7(e~~e’) for all e,e’ € X. Our 
diagrams display the relation ~~, along with the Hasse diagram of <p, called 
immediate causality and denoted by -»g. All the diagrams above denote 
event structures. The missing ingredient in making the diagrams formal is the 
names accompanying the events (q, tt, ff,...). These will arise as annotations 
by events from games, themselves event structures, representing the types. 

The parallel composition Eo || FE, of event structures Eo and Æ has for 
events ({O} x Eo) U({1} x £1). The causal order is given by (i,e) < mog, (J, e’) 
when i = j and e <z, e’, and consistent sets by those finite subsets of Eo || Æ 
that project to consistent sets in both Ey and Fj. 

A (partial) map of event structures f : A — B is a (partial) function on 
events which (1) maps any finite configuration of A to a configuration of B, and 
(2) is locally injective: for a,a’ € x € @(A) and fa = fa’ (both defined) then 
a =a’. We write & for the category of event structures and total maps and £, 
for the category of event structures and partial maps. 

An event structure with partial polarities is an event structure A with 
a map pol: A — {—,+,*} (where events are labelled “negative”, “positive”, or 
“internal” respectively). It is a game when no events are internal. The dual A+ 
of a game A is obtained by reversing polarities. Parallel composition naturally 
extends to games. If x and y are configurations of an event structure with partial 
polarities we use x C? y where p € {—,+, *} fora Cy & pol(y \ x) C {p}. 

Given an event structure FE and a subset V C E of events, there is an event 
structure E | V whose events are V and causality and consistency are inherited 
from E. This construction is called the projection of E to V and is used in [14] 
to perform hiding during composition. 


3.2 Definition of Uncovered Pre-strategies 


As in [14], we first introduce pre-strategies and their composition, and then 
consider strategies, those pre-strategies well-behaved with respect to copycat. 


Uncovered Pre-strategies. An uncovered pre-strategy on a game A is a 
partial map of event structures ø : S — A. Events in the domain of ø are called 
visible or external, and events outside invisible or internal. Via ø, visible 
events inherit polarities from A. 

Uncovered pre-strategies are drawn just like the usual strategies of [14]: the 
event structure S has its events drawn as their labelling in A if defined or » if 
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undefined. The drawing of Fig. la is an example of an uncovered pre-strategy. 
From an (uncovered) pre-strategy, one can get a pre-strategy in the sense of 
[14]: for o : S — A, define S, = S | dom(c) where dom(c) is the domain 
of ø. By restriction ø yields 0, : S| — A, called a covered pre-strategy. A 
configuration x of S' can be decomposed as the disjoint union x; Uz, where x, 
is a configuration of S| and x, a set of internal events of S. 

A pre-strategy from a game A to a game B is a (uncovered) pre-strategy 
on At || B. An important pre-strategy from a game A to itself is the copycat 
pre-strategy. In A+ || A, each move of A appears twice with dual polarity. The 
copycat pre-strategy Œa simply waits for the negative occurrence of a move a 
before playing the positive occurrence. See [5] for a formal definition. 

Isomorphism of strategies [14] can be extended to uncovered pre-strategies: 


Definition 2. Pre-strategies o : S — A,r: T — A are isomorphic (written 
o S T) if there is an iso y: S ST st. rop=o (equality of partial maps). 


Interaction of Pre-strategies. Recall that in the covered case, composition 
is performed first by interaction, then hiding; where interaction of pre-strategies 
is described as their pullback in the category of total maps [14]. Even though 
é, has pullbacks, those pullbacks are inadequate to describe interaction. In [8], 
uncovered strategies are seen as total maps o : S — A || N, and their interaction 
as a pullback involving these. This method has its awkwardness so, instead, here 
we give a direct universal construction of interaction, replacing pullbacks. 

We start with the simpler case of a closed interaction of a pre-strategy o : 
S — A against a counter pre-strategy T : T — A+. As in [5] we first describe the 
expected states of the closed interaction in terms of secured bijections, from which 
we construct an event structure; before characterising the whole construction via 
a universal property. 


Definition 3 (Secured bijection). Let q,q’ be partial orders and ọ : q œ q' 
be a bijection between the carrier sets (non necessarily order-preserving). It is 
secured when the following relation <, on the graph of p is acyclic: 


(s, 9(S)) <p (8', p(s) iff s =a 5 V pls) =q o(s") (1) 


* 


If so, the resulting partial order (<,)* is written <y. 


Let o : S — A and T : T — A be partial maps of event structures (we 
dropped polarities, as the construction is completely independent of them). A 
pair (x,y) € @(S) x @(T) such that ojx = qy € @(A), induces a bijection 
Pay: T || Y, =x, || y defined by local injectivity of o and 7: 

Px,y(0, s) = (0, 8) (sEex,) 
x,y(0,8) = (1,77 (08)) (s € 2) 
Px y(1, t) = (1, t) 

The configurations x and y have a partial order inherited from S and T. 

Viewing y, and x, as discrete orders (the ordering relation is the equality), Yz,y 
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is a bijection between carrier sets of partial orders. An interaction state of o 
and 7T is (x,y) € @(S) x @(T) with ajx = Ty for which yz, is secured. As a 
result (the graph of) Yx, is naturally partial ordered. Write .%,,, for the set of 
interaction states of ø and 7. As usual [5], we can recover an event structure: 


Definition 4 (Closed interaction of uncovered pre-strategies). Let A be 
an event structure, anda: S — A and T : T — A be partial maps of event 
structures. The following data defines an event structure SAT: 


- events: those interaction states (x,y) such that yz, has a top element, 

— causality: (x,y) <sar (2’,y’) iffa Ca’ andy Cy’, 

— consistency: a finite set of interaction states X C SAT is consistent iff its 
union Ux is an interaction state in Sor. 


This event structure comes with partial maps IT; : SAT — Sand Ia : SAT >T, 
analogous to the usual projections of a pullback: for (x,y) € SAT, M(x,y) 
is defined to s € S whenever the top-element of yz, is ((0,s),w2) for some 
w € x, || y. The map H, is undefined only on events of S A T corresponding to 
internal events of T (i.e. (x, y) with top element of yz of the form ((1, t), (1, t))). 
The map hə is defined symmetrically, and undefined on events corresponding to 
internal events of S. We write o A T for o o Ih =Tollg: SAT >A. 


Lemma 1. Leto: S — A and T : T — A be partial maps. Let (X, f : X > 
S,g:X — T) be a triple such that the following outer square commutes: 


If for allp € X with f p and gp defined, o( f p) = T(g p) is defined, then there 
exists a unique (f,g):X — SAT making the two upper triangles commute. 


From this closed interaction, we define the open interaction as in [14]. Given 
two pre-strategies o : S At || B and +: T — B+ || C, their interaction 


7T®@a:(S||C)A(A|| T) — At | C 
is defined as the composite partial map (S || C)A(A || T) = A || B || C= Al C, 


where the “pullback” is first computed ignoring polarities — the codomain of the 
resulting partial map is A+ || C, once we reinstate polarities. 
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Weak Bisimulation. To compare uncovered pre-strategies, we cannot use iso- 
morphisms as in [14], since as hinted earlier, œa ® ø comprises synchronised 
events not corresponding to those in ø. To solve this, we introduce weak bisim- 
ulation between uncovered strategies: 


Definition 5. Leto : S — A and T : T — A be uncovered pre-strategies. A 
weak bisimulation between o and T is a relation Z C @(S) x €(T) containing 
(0,0), such that for alla Zy, we have: 


t 
- Ifx—c x’ such that s is visible, then there exists y C* y'—C y" with os = Tt 
and x' Ry" (and the symmetric condition for T) 


- If a—cC x! such that s is internal, then there exists y C* y' such that a’ Z y' 
(and the symmetric condition for T) 


Two uncovered pre-strategies o,T are weakly bisimilar (written o ~ 7) when 
there is a weak bisimulation between them. 


Associativity of interaction (up to isomorphism, hence up to weak bisimu- 
lation) follows directly from Lemma 1. Moreover, it is straightforward to check 
that weak bisimulation is a congruence (i.e. compatible with composition). 


Composition of Covered Strategies. From interaction, we can easily define 
the composition of covered strategies. If ¢: S + At || B and 7 : T — B+ || C 
are covered pre-strategies, their composition (in the sense of [14]) 7©o is defined 
as (T ®o),. The operation | is well-behaved with respect to interaction: 


Lemma 2. For 0,7 composable pre-strategies, (T ® a); = 7, © oy. 


3.3 A Compact-Closed Category of Uncovered Strategies 


Although we have a notion of morphism (pre-strategies) between games and 
an associative composition, we do not have a category up to weak bisimulation 
yet. Unlike in [14], races in a game may cause copycat on this game to not be 
idempotent (see [3] for a counterexample), which is necessary for it to be an 
identity. To ensure that, we restrict ourselves to race-free games: those such 
that whenever a configuration x can be extended by aj, a2 of distinct polarities, 
the union zU {a1, a2} is consistent. From now on, games are assumed race-free. 


Lemma 3. For a race-free game A, ŒA ® ŒA ~ Ca. 


Proof. It will follow from the forthcoming Lemma 4. 


Uncovered Strategies. Finally, we characterise the pre-strategies invariant 
under composition with copycat. The two ingredients of [5,14], receptivity and 
courtesy (called innocence in [14]) are needed, but this is not enough: we need 
another condition as witnessed by the following example. 
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Consider the strategy o : 61~~@2 on the game A = 6) @2 playing non- 
deterministically one of the two moves. Then the interaction «4 ® ø is: 


A* A 


xı ——>O1 


*2 ———> ©2 
It is not weakly bisimilar to o: «4 ®o can do *;, an internal transition, to 
which o can only respond by not doing anything. Then o can still do 6; and 
® whereas C4 ®o cannot: it is committed to doing 61. To solve this problem, 
we need to force strategies to decide their nondeterministic choices secretly, by 
means of internal events — so g will not be a valid uncovered strategy, but c4®o 
will. Indeed, c4 ® (4 ® ø) below is indeed weakly bisimilar to c4 ® ø. 


A* A* A 


x] ——>*, —>01 
a 
Definition 6. An (uncovered) strategy is a pre-strategy o : S — A satisfying: 


a 
- receptivity: if x € @(S) is such that cx—cC with a € A negative, then there 
sS 
exists a unique x—C with os =a. 
- courtesy: if s — s' and s is positive or s' is negative, then os > os’. 
— secrecy: if x € @(S) extends with s1, s2 but x U {81,52} Z @(S), then sı and 
s2 are either both negative, or both internal. 


Receptivity and courtesy are stated exactly as in [14]. As a result, hiding the 
internal events of an uncovered strategy yields a strategy a} in the sense of [14]. 
For any game A, œa is an uncovered strategy: it satisfies secrecy as its only 
minimal conflicts are inherited from the game and are between negative events. 


The Category CGg@. Our definition of uncovered strategy does imply that 
copycat is neutral for composition. 


Lemma 4. Leto: S — A be an uncovered strategy. Then ea Ðo xo. 
The result follows immediately: 


Theorem 1. Race-free games and uncovered strategies up to weak bisimulation 
form a compact-closed category CGe. 


3.4 Interpretation of Affine Nondeterministic PCF 


From now on, strategies are by default considered uncovered. We sketch the 
interpretation of APCF, inside CG@. As a compact-closed category, CGe 
supports an interpretation of the linear A-calculus. However, the empty game 1 
is not terminal, as there are no natural transformation ¢€4 : A —> 1 in CGe@. 


The negative category CG 3. We solve this issue as in [4], by looking at 
negative strategies and negative games. 
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Definition 7. An event structure with partial polarities is negative when all 
its minimal events are negative. 


A strategy o : S — A is negative when S is. Copycat on a negative game is 
negative, and negative strategies are stable under composition: 


Lemma 5. There is a subcategory CG of CGe consisting in negative race- 
free games and negative strategies. It inherits a monoidal structure from CG in 
which the unit (the empty game) is terminal. 


Moreover, CG has products. The product A & B of two games A and 
B, has events, causality, polarities as for A || B, but consistent sets restricted 
to those of the form {0} x X or {1} x X with X consistent in A or B. The 
projections are wa : Œa > (A& B) || A, and wg : Œg > (A & B)+ | B. 

Finally, the pairing of negative strategies o : S — A+ || B andr: T — 
A+ || C is the obvious map (0,7) : S & T — A+ || B&C, and the laws for the 
cartesian product are direct verifications. 

We also need a construction to interpret the function space. However, for A 
and B negative, A+ || B is not usually negative. To circumvent this, we introduce 
a negative variant A — B, the linear arrow. To simplify the presentation, we 
only define it in a special case. A game is well-opened when it has at most 
one initial event. When B is well-opened, we define A — B to be 1 if B = 1; 
and otherwise A+ || B with the exception that every move in A depends on the 
single minimal move in B. As a result — preserves negativity. We get: 


Lemma 6. If B is well-opened, A — B is well-opened and is an exponential 
object of A and B. 


In other words, well-opened games are an exponential ideal in CGg. We interpret 
types of APCF, inside well-opened games of CGg: 


[om] = "S B= oy yA B= AJ [B] 
done* ttt ~~ fft 


Interpretation of Terms. Interpretation of the affine \-calculus in CG® fol- 
lows standard methods. First, the primitives tt, ff, |,if are interpreted as: 


[tt] : ff: B H]: if 3 — (B & B)~B 


q q q ne 
ly ly y pee 
tt ff x --q Z n 
y ooh 7 n 
Vv =a fF ay 
(y ly | \ 
b b \ 
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A non-standard point is the interpretation of 1: usually interpreted in game 
semantics by the minimal strategy simply playing q (as will be done in the next 
section), our interpretation here reflects the fact that L represents an infinite 
computation that never returns. Conditionals are implemented as usual: 


[if MNN'Je = if ® ([M]Je || (W]e; [N’]e)). 
Soundness and Adequacy. We now prove adequacy for various notions of 


convergence. First, we build an uncovered strategy from the operational seman- 
tics. 


Definition 8 (The operational tree). Let M be a closed term of type B. We 
define the pre-strategy t(M) on B as follows: 


Events: An initial event L plus one event per derivation M —* M”. 

Causality: | is below other events, and derivations are ordered by prefix 

Consistency: A set of events is consistent when its events are comparable. 

Labelling: L has label q, a derivation M —* b where b € {tt, ff} is labelled by 
b. Other derivations are internal. 


As a result, t( M) is a tree. Our main result of adequacy can now be stated: 


Theorem 2. For aterm|' M : B, t(if M tt ff) and |M] e are weakly bisimilar. 


We need to consider t(if M tt ff) and not simply t(M) to ensure secrecy. 
From this theorem, adequacy results for may and fair convergences arise: 


Corollary 1. For any term F M : B, we have: 


May: M —* tt if and only if [M]@ contains a positive move 
Fair: For all M —* M', M’ can converge, if and only if all finite configurations 
of [M']@ can be extended to contain a positive move. 


However, we cannot conclude adequacy for must equivalence from Theorem 2. 
Indeed, must convergence is not generally stable under weak bisimilarity: for 
instance, (the strategies representing) tt and Y (Ax. if choice tt x) are weakly 
bisimilar but the latter is not must convergent. To address this in the next section 
we will refine the interpretation to obtain a closer connection with syntax. 


4 Essential Events 


The model presented in the previous section is very operational; configurations 
of [M]@ can be seen as derivations for an operational semantics. The price, 
however, is that besides the fact that the interpretation grows dramatically in 
size, we can only get a category up to weak bisimulation, which can be too 
coarse (for instance for must convergence). We would like to remove all events 
that are not relevant to the behaviour of terms up to weak bisimulation. In other 
words, we want a notion of essential internal events that (1) suffices to recover 
all behaviour with respect to weak bisimulation, but which (2) is not an obstacle 
to getting a category up to isomorphism (which amounts to C400 S ø). 
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4.1 Definition of Essential Events 


As shown before, the loss of behaviours when hiding is due to the disappearance 
of events participating in a conflict. A neutral event may not have visible con- 
sequences but still be relevant if in a minimal conflict; such events are essential. 


Definition 9. Leto: S — A be an uncovered pre-strategy. An essential event 
of S is an event s which is either visible, or (internal and) involved in a minimal 
conflict (that is such that we have s~~,,s' for some s', x). 


Write Eg for the set of essential events of ø. Any pre-strategy o : S — A induces 
another pre-strategy é (0) : &(S) = S | Es — A called the essential part of ø. 
The following proves that our definition satisfies (1): no behaviour is lost. 


Lemma 7. An uncovered pre-strategy o : S — A is weakly bisimilar to £ (o). 


This induces a new notion of (associative) composition only keeping the essen- 
tial events. For ø : A+ || B and T : B+ || C, let T©o = &(7 ® a). We observe 
that &(7 ®o) = (T) © &(0). 

Which pre-strategies compose well with copycat with this new composition? 


4.2 Essential Strategies 


We now can state property (2): the events added by composition with copycat 
are inessential, hence hidden during composition: 


Theorem 3. Leto: S — A be an uncovered strategy. Then c4 ©o = é (o). 


This prompts the following definition. An uncovered pre-strategy o is essential 
when it is a strategy, and if, equivalently: (1) all its events are essential, (2) 
o = &(c). We obtain a characterisation of strategies in the spirit of [14]: 


Theorem 4. A pre-strategy a: S — A is essential if and only if Cc, © o So. 
As a result, we get: 


Theorem 5. Race-free games, and essential strategies up to isomorphism form 
a compact-closed category CGo. 


Relationship Between CG and CGo. Covered strategies can be made into 
a compact-closed category [5,14]. Remember that the composition of o : S > 
At || Band 7 : T — B+ || C in CG is defined as T Oo = (T ® ø)}. 


Lemma 8. The operation o +> o, extends to an identity-on-object functor 
CGo — CG. 


In the other direction, a strategy o : A might not be an essential strategy; in 
fact it might not even be an uncovered strategy, as it may fail secrecy. Sending 
ao to œa ©o delegates the non-deterministic choices to internal events and yields 
an essential strategy, but this operation is not functorial. 
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Relationship Between CGo and CGg@. The forgetful operation mapping an 
essential strategy o to itself, seen as an uncovered strategy, defines a functor 
CGo — CGg. Indeed, if two essential strategies are isomorphic, they are also 
weakly bisimilar. Moreover, we have that T®o ~ &(7®o) = 7 ©o. However the 
operation &(-) does not extend to a functor in the other direction even though 
E(T) © &(c) = &(7 ® c0), as it is defined only on concrete representatives, not 
on equivalence classes for weak bisimilarity. 


4.3 Interpretation of APCF_, 


We now show that this new category also supports a sound and adequate inter- 
pretation of APCF, for various testing equivalences, including must. As before, 
we need to construct the category of negative games and strategies. 


Lemma 9. There is a cartesian symmetric monoidal category CGo of negative 
race-free games and negative essential strategies up to isomorphism. Well-opened 
negative race-free games form an exponential ideal of CGG. 


We keep the same interpretation of types of affine nondeterministic PCF. 
Moreover, the strategy if is essential. As a result, we let: 


LJo=9:B [if MNN'Jo = if © ([M]o || (No. W]e) 


Using &(0 ® T) = &(c) © &(T), one can prove by induction that for any 
term M we have [M]o = &([M]q@). Furthermore, this interpretation permits a 
stronger link between the operational and the denotational semantics: 


Theorem 6. For all terms | M: B, &(t(M)) = [M]o. 


Theorem 6 implies Theorem 2. It also implies adequacy for must: 


Corollary 2. The interpretation [|-]o is adequate for may, and fair, and must: 
+ M :B has no infinite derivations if and only if all (possibly infinite) maximal 
configurations of [M] have a positive event. 


This result also implies that [-] is adequate for must. 


5 Conclusion 


We have described an extension of the games of [14] to uncovered strategies, 
composed without hiding. It has strong connections with operational semantics, 
as the interpretations of terms of base type match their tree of reductions. It also 
forms a compact-closed category up to weak bisimulation, and is adequate for 
the denotational semantics of programming languages. Identifying the inessential 
events as those responsible for the non-neutrality of copycat, we remove them 
to yield a compact closed category up to isomorphism. Doing so we obtain our 
sought-after setting for the denotational semantics of programming languages, 
one agnostic w.r.t. the chosen testing equivalence. The work blends well with 
the technology of [7] (symmetry, concurrent innocence) dealing with non-affine 
languages and characterising strategies corresponding to pure programs; these 
developments appear in the first author’s PhD thesis [3]. 
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Abstract. We present a trace model for Strachey parametric polymor- 
phism. The model is built using operational nominal game semantics and 
captures parametricity by using names. It is used here to prove an oper- 
ational version of a conjecture of Abadi, Cardelli, Curien and Plotkin 
which states that Strachey equivalence implies Reynolds equivalence in 
System F. 


1 Introduction 


Parametricity was first introduced by Strachey [22] as a way to characterise the 
behaviour of polymorphic programs as being uniform with respect to the type 
of the arguments provided. He opposed this notion to ad-hoc polymorphism, 
where a function can produce arbitrarily different outputs when provided inputs 
of different types (for example an integer and a boolean). To formalise this 
notion of parametricity, Reynolds introduced relational parametricity [21]. It is 
defined using an equivalence on programs, that we call Reynolds equivalence 
and is a generalisation of logical relations to System F. This equivalence uses 
arbitrary relations over pairs of types to relate polymorphic programs. So a 
parametric program that takes related arguments as input will produce related 
results. Reynolds parametricity has been developed into a fundamental theory 
for studying polymorphic programs [1, 20, 23]. 

Following results of Mitchell on PER-models of polymorphism [18], Abadi, 
Cardelli, Curien and Plotkin [1,20] introduced another, more intentional notion 
of equivalence, called Strachey equivalence. Two terms of System F are Strachey 
equivalent whenever, by removing all their type annotations, we obtain two 8n- 
equivalent untyped terms. The authors conjectured that Strachey equivalence 
implies Reynolds equivalence (the converse being easily shown to be false). 

In this paper we examine a notion of Reynolds equivalence based on opera- 
tional logical relations, and prove that, for this notion, the conjecture holds. To 
do so, we introduce a trace model for System F based on operational nominal 
game semantics [12,14]. Terms in our model are denoted as sets of traces, gener- 
ated by a labelled transition system, which represent interactions with arbitrary 
term contexts. In order to abstract away type information from inputs to poly- 
morphic functions, our semantics uses names to model such inputs. The idea is 
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A;P,c:0+M:6° ASHE M:036' A;PEN:6 | (At.M)N =s M{N/x} 

A; T+ Az?.M :0 > 0 Ar- MN:0 (AX.M)0 =s, M{0/X} 
(z:0)er A,X; r- M:0 AT- M:VX.0 At.Max =e, M 
A;Pea:0 A;TRAX.M:VX.0 A;r MO':0{0'/X} | AX.MX =s, M 


Fig. 1. Typing rules and (7-equality axioms. 


the following: since names have no internal structure, the function has no choice 
but to act “the same way” on such inputs, i.e. be parametric. Our trace model 
yields a third notion of equivalence: trace equivalence (i.e. equality of sets of 
traces). Then, the result is proven by showing that trace equivalence is included 
in (operational) Reynolds equivalence, while it includes Strachey equivalence. 

The traces in our model are formed of moves, which represent interactions 
between the modelled term (the Player) and its context (the Opponent): either 
of Player or Opponent can interrogate the terms provided by the other one, 
or respond to a previous such interrogation. These moves are called questions 
and answers respectively. Names enter the scene when calling terms which are 
of polymorphic type, in which case the calling party would replace the actual 
argument type 0 with a type name a, and record locally the correspondence 
between a and 0. Another use of names in our model is for representing terms 
that are passed around as arguments to questions. These are called computation 
names, and are typed according to the term they each represent. 


2 Definition of System F and Parametricity 


We start off by giving the definitions of System F and of the parametric equiv- 
alence relations we shall examine on it. The grammar for System F is standard 
and given by: 


Type > 6,0 ::= X | 0 — 0 | VX.0 
Term > M,N ::= àxz?.M | AX.M | MN | M9 


We write x, etc. for (term) variables, sourced from a countable set Var; and X, 
etc. for type variables, taken from TVar. We define substitutions of open variables 
of either kind in the usual capture-avoiding way. For instance, the term obtained 
by consecutively applying substitutions 7 : Var — Term and 6 : TVar — Type on 
M is written M{n}{}. 

Terms are typed in environments A; I’, where A is a finite set of type vari- 
ables, and I is a set {x1 : 01,...,%m : Om} of variable-type pairs. The typing 
rules are given in Fig. 1. The operational semantics we examine is 37-equality, 
defined as the least syntactic congruence =g,, that includes the axioms given on 
the RHS part of Fig. 1. 
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We shall use the following common polymorphic encodings: 


- Bool = VX. X — X — X, true = AX.\x*.\y*.2 and false = 
AX dao Dy* 9, 
— Unit = VX. X > X and id = AX.d2*.2. 


Reynolds Equivalence. We next introduce logical relations for System F. First, we 
let Rel be the set of all typed relations between closed terms that are compatible 
with =g,: 
Rel = { (01, 62, R) | R C Term x Term AV(M1, M2) € R. 3+ Mi : 0i 
AVM] =pn M1.VM3 =pn M2. (Mi, M3) € R} 
Logical relations R[6]5 are defined below, indexed by environments 6 : TVar — 
Rel: 


R[X]s = R when (X) = (-,-, R) 
RIVX.6]s = {(M1, M2) | V(01, 02, R) € Rel. (M101, M262) E R[O] 5..x-+(61,02,R)) } 
RIO — 82]s = {(Mi, M2) | V(Ni, N2) € R[iJs. (MiNi, M2No) € R[G2]s} 


We can now define the first notion of parametric equivalence for System F. 


Definition 1. Given terms A; I F Mı, Mo : 0, we say that they are Reynolds 
equivalent, and write A; l F My Stog Mo : 0, if: 


Vd € R[A]-V(m, n2) € RET s- (Mat bo}, Mo{net{o2}) € RIAs 


where RIA] = dom(A) — Rel, ô = {(X,6;) | 6(X) = (61,-,-)} (similar for 
a RIDI = {(m, m) € (dom(L) — Term)? | V(x, 6") € P. (m(x), n2(2)) € 
RO] 5}. 


The following result is standard [21]. 


Theorem 2 (Fundamental Property). If A;r} M:7 then A; I M tog 
M:8¢. 


Remark 3. Note that our definition of Reynolds equivalence does not coincide 
with either of the definitions given in [1,20]: therein, parametricity is defined 
using relational logics (and accompanying proof systems), whereas here we use 
quantification over concrete relations over closed terms. 


Strachey Equivalence. Another notion of parametric equivalence is defined by 
means of erasing types from terms. We define the type erasure erase( M) of a 
term M by: 


erase(AX.M)=erase(M/)  erase(//N) = erase(M)erase(N) 
erase(\x°.M) = \z.erase(M) erase(M@) = erase( M) 


and erase(x) = x. Thus, erase( M) is an untyped \-term. Below we overload =g,, 
to also mean $7-equality in the untyped A-calculus. 
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Definition 4. Given terms A;I’/ Mı, M2: 0, we say that they are Strachey 
equivalent if erase( M1) =,, erase(M2). 


It was conjectured in [1,20] that Reynolds equivalence includes Strachey 
equivalence. We prove this holds for the version of Reynolds equivalence given 
in Definition 1. 


Theorem 5. Any two Strachey equivalent terms are also Reynolds equivalent. 


It is interesting to think why a direct approach would not work in order 
to prove this conjecture. Given Strachey equivalent terms Mı, M2 of type 
Bool, suppose we want to prove them Reynolds equivalent. We therefore take 
(01,02, R) € Rel, (N11,.No1) E€ R, and (Ni2, No.2) € R, and aim to prove that 
(M1 01.N11Ni,2, M202No1.N2,2) E R. Ideally, we would like to prove that there 
exists j E€ {1,2} s.t. for all i € {1,2}, Mibi Ni 1 N;i,2 =bn Nig: but that seems 
overly optimistic. A first trick is to use Theorem 2, to get that Mə is related with 
itself. Thus, we get that (M26,Ni1Ni 2, M262.No21No22) E R, and it would suffice 
to prove M101 N1, 1 N1,2 =6n M201 N1,1N1,2 to conclude. However, our hypothesis 
is simply that erase( M1) =,,, erase( M2). 

A possible solution to the above could be to -reduce both M01 N1, 1 Nı,2, 
hoping that the distinction between the two terms will vanish. Our trace seman- 
tics provides a way to model the interaction between such a term M; and a 
context e 0j N;j1Nj 2, and to deduce properties about the normal form reached 
by their application via head reduction. 


3 A Nominal Trace Semantics for System F 


In this section we introduce a trace semantics for open terms which will be our 
main vehicle of study for System F. The terms in our semantics will be allowed 
to contain special constants representing any term that could fill in their open 
variables (these be term or type variables). The use of names can be seen as a 
nominal approach to parametricity: parametric types and values are represented 
in our semantics by names, without internal structure. Thus, e.g. a parametric 
function is going to behave “the same way” for any input, since the latter will 
be nothing but a name. 

Our approach follows the line of work on nominal techniques [7,19] and nom- 
inal operational game semantics [12,14]. We let the set of names be: 


N= TNWCN 


We therefore use two kinds of names: type names a, € TN; and computation 
names c,d € CN. We will range over arbitrary names by a and variants. We 
extend the syntax of terms and types by including computation and type names 
as constants, and call the resulting syntax namey terms and types: 


M,N := c| zx | Az?.M | AX.M | MN| M90 6,0':=a|X|0—>6'| AX. 
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A namey term or type is closed if it contains no free (type/term) variables — 
but it may contain names. On the other hand, a value is a closed term in head 
normal form that contains no names. We range over values with v and variants. 

We will use the notation M, Ñ, and variants, to refer jointly to namey terms 
and namey types. Namey terms are typed with additional typing hypotheses for 
the added constants. These typings are made explicit in the trace model. By 
abuse of terminology, we will drop the adjective “namey” and refer to the above 
simply as “terms” and “types”. Formally speaking, namey terms and types form 
nominal sets (cf. Definition 8). 


Note 6 (what do c’s and a’s represent?). A computation name c represents a 
term that can replace the open variables of a term M. That is, in order to 
examine the semantics of Ax?.M, we will look instead at M{c/x} where c a 
computation name of appropriate type. Type names a have a similar purpose, 
for types. 


Our trace semantics is built on top of head reduction, which is reminded 
next. Moreover, we shall be using types in extended form, which determines the 
number and types of arguments needed in order to fully apply a term of a given 
type. 


Definition 7. The (standard) head reduction rules are given in Fig. 2. Head 
normal forms are given by the syntax on the LHS below, 


Mung = Ela] | Ele] | Az? Mune | AX.Mone E:= e | EM | E9 


where E ranges over evaluation contexts (defined on the RHS). Evaluation 
contexts are typed with types of the form 6 ~~» 6’. We write E : 0~» 0’ if we can 
derivee: OF E: Ø. 

An extended type form is a sequence (71, ...,T,€) with € € TVarUTN and, 
for each i, r; € Type U {VX | X € TVar}. Formally, the extended form of a type 
0, written ext(0), is defined by: 


ext(VX.0) = (VX) :: ext(0) ext(@ > 0’) = 0 :: ext(0’) ext(€) = (£) 


where we write h::t for the sequence with head h and tail t (cf. list notation). 
Elements of the form VX in these sequences are binders that bind to their right. 


We let —* be the reflexive-transitive closure of —. It is a standard result 
that —* preserves typing and (strongly) normalises to head normal forms. 
We finally introduce some infrastructure for working with objects with names. 


(Az.M)N > M{N/a} M > M' M > M' M=>M' (x) 
(AX.M)0 > M{0/X} àz.M >àz.M' AX.M > AX.M' E[M] => E[M] 


Fig. 2. Head reduction rules. Condition (*) stipulates that M be not a A/A-abstraction. 
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Definition 8. We call a permutation 7: N — N finite if the set {a | x(a) 4 a} 
is finite, and component-preserving if, for all a € N, a € TN iff x(a) € TN. 

A nominal set [7] is a pair (Z,*) of a set Z along with an action (*) from 
the set of finite component-preserving computations of N on the set Z. For each 
z € Z, the set of names featuring in z form its support, written v(z), which we 
stipulate to be finite. 


In the sequel, when constructing objects with names (such as moves or traces) 
we shall implicitly assume that these form nominal sets, where the permutation 
action is defined by taking 7 z to be the result of applying 7 to each name in z. 


3.1 Trace Semantics Preview 


Before formally presenting the trace model, we look at some examples infor- 
mally, postponing the full details for the next section. Head-reduction brings 
terms into head normal form. The trace semantics allows us to further ‘reduce’ 
terms of the form E [eM bere Mn), where c is some computation name. For such a 
term, following the game semantics approach [3,11], our model will issue a move 
interrogating the computation c on arguments M;, and putting E on top of an 
evaluation stack, denoted €. The move is effectively a call to c, and € functions 
as a call stack which registers the calls that have been made and are still pend- 
ing. This will effectively lead to a labelled transition system in which labels are 
moves issued by two parties: a Player (P), representing the modelled term, and 
an Opponent (O) representing its enclosing term context. 

Traces are sequences of moves, which in turn are tuples of names belonging 
to one of these four classes, taking c € CN and a; € N for each i: 


— Player questions G(a1,...,@n) (also P-questions), 
— Opponent questions c(a1, ..., an) (also O-questions), 
— PO-answers OKOK, and OP-answers OKOK. 


Given a question move as above, we let its core name be c. We distinguish a 
computation name cin € CN, and call questions with core name cin initial. We 
define a trace T to be a finite sequence of moves. Traces will be restricted to 
legal ones in Definition 12. 

In the following examples we give traces produced by simple System F terms. 
Traces are formally produced by an LTS over configurations whose main com- 
ponent is an evaluation stack. An evaluation stack is a stack whose elements 
are typed evaluation contexts, apart from the top element which can also be a 
typed term: 


x= | (M, 0) x£" E' ::= Q | (E, 0 ~ 0) E 


We denote the empty stack with >. In the next two examples, for simplicity, 
configurations shall only contain evaluation stacks. 
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Example 9. Recall that id = AX.Arc*.x : Unit and Unit = VX.X — X. The 
extended type of Unit, ext(Unit) = (VX, X, X), indicates that id requires two 
arguments in order to be evaluated: one type and one term of that given type. 
Thus, the traces produced by id will start with an interrogating/calling move 
Cin(a@, c) of O: 


— Cin is the computation name assigned (by convention) to the term being eval- 
uated (in this case, id); 

— a,c are names abstracting the actual type and term arguments which id is 
called on. It is assumed that c is of type a. 


Starting from the initial move c;,(a@,c), a trace of id can be produced as follows: 


(0) SE, (idac a)) + ((c,0)) Bs (eama) 25 (0) 

Thus, O starts the interaction by interrogating id with a,c. This results in 
idac, which gets head reduced to c. At this point, c is a head normal form 
of type a, and P can answer the initial question c,(a,c). This is done in two 
steps. First, P further reduces c by playing a move G() (here c takes 0 arguments 
as ext(a) = (a)), and pushes the current evaluation context (e, a ~~a) on the 
stack. O then responds by triggering a pair of answers OKOK, which answer both 
questions played so far. The resulting trace is: cin (a, c) - G() - OKOK. 


Note 10 (what are OKOK and OKOK?). As System F base types are type vari- 
ables, there is no real need for answer moves: a type X has no return values. For 
example, in the game models of Hughes [9] and Laird [15], answer moves were 
effectively suppressed (either explicitly, or by allowing moves c(---) to function 
as answers). Here, to give the semantics an operational flavour, we introduce 
instead explicit ‘dummy’ answers OK. 


Example 11. Consider now M = AfUPt f : Unit — Unit. We have that 
ext(Unit — Unit) = (Unit, VX, X, X), and therefore M requires three argu- 
ments for its evaluation: one term of type Unit, one type, and one term if that 
latter type. We can therefore start a trace of M with an initial move cin (ci, a1, €) 
and continue as follows. 


€1(a2,¢3) 
—————— 


(9) E, (Mera eo, 01)) — ((e1 01 €2; 01)) (0, a2 ~ a1) 


Thus, the initial move leads to Mc,a,c2, which in turn reaches the hnf cja1c2, 
with cı : Unit, and at that point P needs to invoke cı with arguments a, and 
cg. These are abstracted away by fresh names az and c3 respectively, which 
are passed as arguments to c1. c3 in particular has type ag. The result of this 
invocation will be of type a2, which is the hole type in (è : a2 ~ a1). O can only 
produce a term of ag by simply returning c3. Similarly to before, this is done 
in two steps: by O playing c3(), which brings cz (the term represented by c3) at 
the top of the stack, which in turn triggers a pair of answers OKOK and brings 
C2 inside the context (è : a2 ~ a1). 
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(le, a ~~ a1)) 22s ((c2, a2) 1 (0, az ~ a1) FS (Coz, 01) BS (Co, a + 1)) 2T (0) 
The latter step leaves us with (c2,œ1), which reaches 4 as in the previous 
example. 


3.2 Definition of the LTS 


We now proceed with the formal definition of the trace semantics. We start off 
with a series of definitions setting the conditions for a trace to be legal. 

The names appearing in a trace are owned by whoever introduces them. A 
move m introduces a name a in a trace T if m is a question q(d@) with a; = a 
for some i. For each A € {O, P}, we let the set of names of T that are owned by 
A be: 


A(T) = {a E N | dm. m is an A-question in T Am introduces a}. 


We will be referring to the names appearing in A(T) as A-names. 

Each move in a trace needs to be justified, i.e. depend on an earlier move 
(unless the move is initial). Justification is defined in different ways for questions 
and answers. Given a trace T and two moves m, m’ in T, we say that m’ justifies 
m when m’ is before m in T and: 


— m is a question with core name c and m’ introduces c, or 
— m is an answer which answers m’ (and m’ is a question). 


Answering of questions is defined as follows. Each answer (occurrence) m answers 
the pair of question moves (m1, M2) containing the last two question moves in 
T which are before m and have not been answered yet. 

We can now define legality conditions for traces. Below, for A € {0, P}, we 
say that a move is A-starting if it is an A-question or an AA+-answer (where 
OŁ = P and P+ = O). Similarly, a move is A-ending if it is either an A-question 
or an A+ A-answer. 


Definition 12. A trace T is said to be legal when, for each A € {O, P}: 


A-ending moves can only be followed by A+-starting moves; 

all moves in T are justified, apart from the first move which must be initial; 
apart from cin, every name of T is introduced exactly once in it; 

for each A-question with core name c # cin, we have c € A+(T); 

if an AA+-answer answers (m, m’) then these are A- and A+-questions respec- 
tively. 


ain leas da 


The conditions above can be given names (suggesting their purpose) as follows: 1. 
alternation, 2. justification, 3. well-introduction, 4. well-calling, 5. well-answering. 


Each trace T has a complement, which we denote T+ and is obtained from T 
by switching O/P in all of its moves (i.e. each c(@) becomes ¢(@), OKOK becomes 
OKOK, etc). T is legal iff T+ is. 
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Traces are produced by use of a labelled transition system. The LTS com- 
prises moves as labels, and of configurations as nodes. Each configuration con- 
tains an evaluation stack of terms and environments that need to be evaluated, as 
well as mappings containing type/term information on names that have appeared 
so far. We introduced evaluation stacks in the previous section. Here we shall 
restrict the allowed shapes thereof as follows. We let passive and active eval- 
uation stacks be defined by the following two grammars respectively, and take 
evaluation stacks to be € ::= Epass | Eactv; 


Epass::= Ô | (E, a ~ 8)] | (E, a~~ a’) ::Epass, Eaciv tt = [(M, 0)] | (M, a) :: Epass 5 


where 0 ranges over closed types with v(0) = Ø, and Q is the empty stack. 
The other two components of configurations will be maps y and ¢ of the 
shape: 


y € (CN—(Term x Type)) @(TN—(Typex {U})), 6 € (CN=Type) @(TN={U}), 


with FOEG={fuUg|feFAg€ G}. Uisa special “universe” symbol that 
represents the type of types — it is only used for convenience. Then, in words: 


— y assigns term-type pairs to computation names, and type-U/ pairs to type 
names, 
— @ assigns types to computation names, and U to type names. 


The role of a map y is to abstract away terms to computational names, and types 
to type names. On the other hand, a map ¢ simply types names. In the LTS, 
when P wants to interrogate an O-computation name c with some arguments, 
they will abstract away the actual arguments to names, record the abstraction 
in y, and call c on these names. On the other hand, when O interrogates a P- 
computation name c with some move c(@), we will record in ¢ the types of the 
(new!) O-names 4G. 

The abstraction of arguments to names is instrumented by a dedicated oper- 
ation AVal. This operation assigns to each sequence ((Mi, T1), -.., (Mn, Tn), Ê), 
where (71, ..., Tn, E) is an extended type (i.e. the type of the computation name 
we want to call) and each M; is a closed term or type (the i-th argument), a set 
of triples of the form (g, y, 3) where: 


— is a sequence (a1, ..., an) of names (abstracting each of the arguments Mi), 
— y is a map as above, with domain {q),..., an}, 
— is the result type one gets after applying each a; for each 7;. 


The operator is formally defined next. In the same definition we introduce the 
semantics of types, [0], as sets of triples of the form (g, ¢, 3), which represent all 
possible input-output name tuples (d@, 3) that are allowed for 0, including their 


typing @. 
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(INT) ((M,0) =E, y, p) > ((M',0) = €,7,¢) when M >* M’ with M’ a head normal form. 
(000) (0,76) ŽE, ([(Mar-an,0)],7, 6-4") 

with y(c) = (M, 8), ((a1,..., an), ¢’, a) € [O] and a € dom(¢- ¢’). 
(0Q) ((E,a~ 6) #E,7,4) TE, (Maran a’) € (Bra + 6) # ,7,4°¢') 

with a € dom(y), y(c) = (M, 8), ((ai,..., an), ¢, a") € [6] and a’ € dom(¢- 6’) u {a}. 


(PQo) ([(EleNh Mn], 8)],7,8) <=". ([(B, 0 > 8)], 7-79) 
when @ is a closed with empty support, ext(¢(c)) = (71,..-,7,€) 
and ((a1, s nan), Y, a) E AVal( (Ma, T1), Seat (Mn, Tn), E). 


(PQ) (Efc Ma], a) = €,7,¢) Biani, ((E,a~ a’): Eyy, p) when a'e dom(¢), 
ext((c)) = (71,...,7,€) and ((a1,..., an), y’, œ) € AVal( (M, T1), , (Mn, Tn), €). 

(OA) ((e,a~ a) = E, y, p) — SKK (E, y, p) when a € dom(¢). 

(PA) ((M,a) : (E,a ~ 0): E, y, 6) Z ((E[M], 0): €,7,¢) when a e dom(y) and M a hnf. 


Fig. 3. Reduction rules for the LTS. 


Definition 13. Given a closed type 6 (which may contain type names), we let 
its semantics be [6] = [ext(0)], where the latter is defined inductively by: 


[Ka] = {(6,£,a)} 
[0 :: L] = {((¢, a), d: [e > 0], a) | c € CN, (4, ¢,a) € [L]} 
[VX :: L] = {((6,4),¢-[B = U], a) | Be "e d,,a) € [L{a/X}]} 


On the other hand, to each sequence (Mi, Ti), en5 (Mn, Tn), E) we assign a set of 
abstract values AVal(((M1, 71), .--;(Mn, Tn), €)) inductively by: 


AVal((a)) = {(€,€, a)} 
AVal((M, 0) :: L) = {((¢,@), y: [c> (M, 6)], a) | c € CN, (a, y, a) € AVal(L)} 
AVal((9, VX): L) = {((G,4), 7: [8 = (8,U4)], a) | 8 € TN, (7, a) € AVal(L{3/X})} 


Both ¢ and y are finite partial functions whose domains are sets of names. For 
such maps, the extension notation we used e.g. in ¢- [c++ z] (for appropriate z) 
means fresh extension: ¢- [c+ z] = dU {(c,z)} and given that c ¢ dom(@). 
This notation is extended to whole maps: e.g. ¢- @ = ¢U ¢’ and given that 
dom(¢) N dom(¢’) = Ø. Moreover, for each map y we write fst(y) for its first 
projection: fst(y) = {(a,M) | y(a) = (M,_)}. Similarly, second projection is 
given by: snd(7) = {(a, Z) | v(a) = (42) 


Definition 14. A configuration is a triple (€,7,¢) where E£ is an evaluation 
stack and y and ¢ are as above. The reduction rules of the LTS are given in 
Fig. 3. We write Tr(C) for the set of traces generated by a configuration C. 

Given a typed term A; + M : 6, with A = {Xi Aah T = {ri 
01,..., 2m : Om}, we set (A; I M: 6) = (9, [cin > (M, 0)), £) and 


[A;r FM: 6] ={T €Tr((A; r- M :0)) |T has at most one initial move } 


where 6 = VXy....VXp.01 > +++ > Om > 0 and M = AXi... . AXn A2% 
Axm. M 
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A configuration is active (resp. passive) if its evaluation stack is so. An 
active configuration stands for a term being computed and it may only produce 
P-moves. A passive configuration, on the other hand, stands for a scenario where 
O is next to play. Moreover, the map ¢ in a configuration contains information 
on the O-names that have been played, i.e. dom(¢) contains O-names, while 
dom(7) contains P-names. 

To better grasp Fig.3 let us consider an initial configuration (0, [cin > 
(M,0)],£) and look at its traces, for some closed term M (so no need for M, 0) 
with empty support. 


— At the beginning, the only rule that can be applied is (OQo), whereby O 
interrogates the term M by issuing a move ci,(d@). The names @ are selected 
from [0] and represent arguments that O fully applies the term M on. Since 
6 has empty support, its extended form is of the shape (7,...,7,X) with 
X bound by one of the 7;’s. Consequently, when the names aj,...,a@, are 
applied for 71,...,7, the variable X will be replaced by some type name a. 
The rule makes this explicit, by requiring that (&, ¢’,a) € [6]. Thus, writing 
o instead of ¢’ and setting yo = [cin > (M, 0)], the transition brings us to a 
configuration ([(14G@, a)], 70, ¢0), where dom(¢9) = {a1,..., dn}. 

— At this point, the term M@ can be reduced using head reduction and 
brought to head normal form. Applying the (INT) rule we reach some 
([(E[cM, --- Mz], a)l, Y0, b0)- 

— We next interrogate the computation name c. The latter must have come from 
the a1,...,@y, that were applied to M, hence is an O-name. To interrogate it, 
P plays a question é(a@’), using the (PQ) rule and assuming (@’,y’,a’) € 
AVal(((M, 71), --; (Mz, 7h), €)), d0(c) = 6’, ext(6’) = (rf, ..., TL, E). This leads 
to ([(B, a’ ~ a), 71,0) (11 = W: 7°). 

— We are now at a passive configuration, where E has been stored on the stack 
and O is required to produce a response of type a’. By definition of AVal, 
either a’ = a or a’ is in aj,...,a;, and hence belongs to P. In the latter 
case, O can only produce such a response by calling back P, using rule (OQ), 
playing an O-question and adding a new term on the evaluation stack. In the 
former case, O would directly respond with a hnf of type a, say N. But, since 
E:a~a and therefore E = èe, P would simply reply back playing N again. 
To avoid this copycat of hnf’s, we simply play an OP-answer and remove the 
top of the evaluation stack — this is what the (OA) rule achieves. 


Example 15. In Fig.4 we include example traces for terms My, M2 : Unit — 
Unit (taken from [1], Instance 3.25) and for the Church numerals Mp : Nat. 
The former pair is an instance of Theorem 21 — Strachey equivalence implies trace 
equivalence. 


In our scenario above we started from a passive configuration with empty 
stack and a singleton y. A different way to produce a trace is to start from 
an active configuration with a stack containing only a term E [Cin M le - Mn), in 
which case the rule (PQo) would commence the trace. More generally, we call a 
configuration C with stack £: 


A Trace Semantics for System F Parametric Polymorphism 31 


Mı =AfU™*. f Unit f : Unit > Unit, Mz = \fU™* AX. f(X > X)(fX): Unit > Unit, 
and ext(Unit > Unit) = (Unit, VX, X, X). Traces for Mı (left) and M2 (right): 


(9; Yo, €;€) 


Cin (1,01 ,¢2) 
—— 


((M1ı cı a1 c2, 01), Yo, $0) 


— ((c1 Unit c1 a1 c2,01), Y0, bo) 


€1(a2,c3) 
D, ((# 11 C2, 2 œ a), 11, 60) 


(yo = [cin > (M1, 8)]) 


(0,0, €€) (70 = [cin > (M2, 0)]) 


Cin (€1,01,¢2) 
tt, ((M2 c1 a1 c2, a1), Yo, $o) 
> ((e1(a1 > a1)(c101)e2, 01), Y0; $o) 


€1(a2,c3) 
— 


((°c2,a2 ~ a1), Y1, 0) 


CA 23 () 
20, ((e1,a2) # (ea c2,a2 = a1), ypo) > ((c101,a2) = (e c2,a2 ~> a1), 11,40) 


OKOK 


OKOK —> ((a a c2,a1), 7190) > 


—— ((c1 a1 €2,01),71, Q0) 


E1(ag,¢3) (unt ~ a1), Y2, 0) where: 


c30 
= ((c2, a2) s: (°, a9 om an), Y2, $0) 


OKOK (( ) do) Jı = yo: [a2 > (Unit, U), c3 > (c1, Unit)] 
LOR es 

it ees y2 =: [a3 > (a1,U),¢3 > (c2,a2)] 
é2() OKOK 


—> ((¢,a1 + a1), 71,60) —> (9,710) 71 =V [a2 > (a1>a1,U), c3 > (c1a1,01>01)] 


do = {c1 > Unit, aı > U, c2 > a} 


Mr = AX.Af*"*. A£”. Njen Nm; Me =Ms(Ms(... (Ms Mz))...) 
a han Sie Y 
ext(Nat) = (YX, X > X,X,X) i 


Set yo = [cin > (Mz, Nat) ]. Reduction for Mg: 


Cin(O1,CF Ca) 
(0,¥0,€,€) ——————> ((Mk ai cf Cx, 01), 0,0) > ((ef (Nes ,cx,k-1), 01), Y0, G0) 
apla) OKOK 10) 

L (ea xa) y bo) ——> 0y po) = ((er(Nes,ex,k-2), 041),11; 60) 
es (c2) OKOK 
— 


((°, ai ~ a1), 72,0) —> (9,72, 0) 


ck-10) 
— 


((Cx, a1), Yk-1, ġo) 


Ex () ‘OK 
EY, ((0,01 ~ a1), yki: $0) > (0, ¥e-1) Go) 


where ġo = {a1 >U, Cf >(Q1 > 01), Cx > a1} and yi = Yi-1- [ci > (Ney cn k-i @1)]. 


Fig. 4. Top: traces for two terms of type Unit—Unit. Bottom: traces for Church 
numeral Mz. 


— a term configuration, if E = > or the bottom element of € has type a or 
a~ a’; 

— a context configuration, if the bottom of € has type 0 or a~ 0, and 0 isa 
closed with empty support. 


Each reduction sequence in the LTS can only contain either term or context con- 
figurations. In our discussion above and in Example 15 we examine the semantics 
of terms, and therefore use term configurations. In later sections, when we shall 
start looking at the semantics of contexts, we will be using context configurations 
as well. 

While we have not defined leaves for our LTS, there is a natural notion of 
a trace being “completed”. In particular, we call a trace T complete if all its 
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questions have been answered. We write CTr(C) for the set of complete traces 
generated from C. Term and context configurations can both produce complete 
traces. Given a term configuration C and a complete trace T, we write C Jr 
if C + C’ and C' has an empty evaluation stack. On the other hand, given a 
context configuration C, a complete trace T and a value v, we write C rw if 


C + C’ and C" has an evaluation stack with a single element (v, 0). 


Lemma 16. Given a term configuration C and T € Tr(C), then T is complete 
iff C 4r- 


We conclude this section by looking at some restrictions characterising actual 
configurations. We first extend fst to evaluation stacks by: fst() = Ọ and 
fst((Z, -)::E) = Z :: fst(£). 


Definition 17. A configuration (E, y, @} is said to be legal when: 


— dom(y) N dom(¢) = @ and v(fst(£)) U v(cod(fst(y))) C dom(¢); 

— for all c € dom(y) N CN, given y(c) = (M, 0), we have Ay; Tg F M : 0w}; 

— if the top of £ is (M, 0), then Ag;Iy,, | M : @ with either 0 = a € dom(7) 
and 7(a) = (0,U), or 0 = a € dom(¢) and 6 = 0, or 0 = @ is a closed type 
with empty support and E = [(M, 0)]; 

- If E = (M,a) : (E, ag ~ 6)::E’, either ay = ag or ay E€ dom(¢); 

— for all (E,a ~ 0) in E with a € dom(y), Ag; I4,y,4 E : wha) ~> 0, and either 
6 = a € dom(¢) or @ is a closed type with empty support, and (E, aœ ~ @) is 
at the bottom of €; 

— for all (E,a ~ 6) in € with a € dom(¢), we have 0 = a and E =e; 


where Ay = dom(¢)N TN and Tọ y = {(x, 0{fst(y)}) | (, 6) € o}. 


Lemma 18. If C is a legal configuration and C “+ C’ then C' is a legal con- 
figuration. 


4 Parametricity in the Trace Model, and Proof of 
Theorem 5 


We next examine the relationship between trace equivalence and the notions 
of Reynolds and Strachey equivalence. We prove that Strachey equivalence is 
included in trace equivalence (Theorem 21), which in turn is included in Reynolds 
equivalence (Theorem 28). 


4.1 From Strachey to Trace Equivalence 


Definition 19. Let C; = (Ei, Yi, Qi), for i = 1,2, be two configurations. We say 
that C1 and C2 are Strachey-equivalent when €, and Ez have the same size, 
dom(71) = dom(72), ¢1 = ¢2 and: 
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— for all c € dom(1), if yi(c) = (Mi, 0i) then 6; = 62 and erase( Mı) =, 
erase( Mə); 

— if (Z;,a;) is the j-th element of €;, then a; = az and erase(Zı) =,, 
erase( Z2); 


where Ei =g, Eo just if Fix] =g, E2[x] for some/all fresh x. 
The first inclusion can then be proven as follows. 


Lemma 20. Given two Strachey-equivalent legal configurations C1, C2, if C1 “> 
C! for some m,C! then there is Ca “+ C} such that C| and C} are Strachey- 
equivalent. 


Theorem 21. For all Strachey-equivalent A, I F Mı, Mə : 0, we have [Mi] = 
[Mo]. 


Proof. Taking T € [A;I + Mı : 0], we prove that T € [A;r F Mə : 6] by 
induction on the length of T, using the previous lemma. 


The inclusion above is strict. This is shown, for example, by the follow- 
ing terms Mtrue, Mfaise : Unit — Unit, which are trace equivalent but not 
Strachey-equivalent: 


Mp = AfT™t. AX.Ax* .snd(f(Bool x X)(b,x)) (b= true, false) 


Here we use the impredicative encoding of product types [8]: 01 x 02 = 
VX.(0. > 0. > X) > X, (M,N) = AX.\f%~%-X fMN and snd = 
dx *92 7o(Ay®.Az™.z). Setting yo = [cin > (Mp, Unit — Unit)] and 
C» = (3: Mp : Unit — Unit), we have: 


Cin (CF ,a,¢) 
— 


Ch ((snd(cs(Bool x a)(b,¢)), a), ¥0,¢0) (¢0 = [cf + Unit, a =œ U, c = al) 
AO, (ende, 8 ~ a),71,40) (m = 70 [B+ (Bool x a,u), + ((b, ¢),8))) 
LO, (((b, 0), 8) (snde, 8 ~ a),71,¢0) ZS ((snd(b,c), a), 71, 40) 


— ((c,0), 71,40) $> ((e,a a), 11,40) SS (0,71, 40) 
and this is the only complete trace in [Mp]. Indeed, O cannot interrogate another 
name, as Cin can only be played once, and c’ cannot be played with the (OQo) 
rule. 
The other inclusion (trace included in Reynolds) is more challenging and 
requires us to introduce machinery for relating the semantics of terms and seman- 
tics of contexts to that of terms and contexts composed. 


4.2 Composite LTS 


We let a composite configuration be a tuple (Ep, Eo, YP, Yo), where yp and 
yo are maps y as above, Ep is a term evaluation stack, and Eo is a context 
evaluation stack. These configurations represent the interaction between a term 


34 G. Jaber and N. Tzevelekos 


(P-INT) ((M,a) = Ep,E£0, yP, y0) —— ((M',a) = Ep, Eo, yP, yo) when M >* M’ (hnf). 
(O-INT) (Ep, (M,a) : Eo, yP, y0} — ((M',a) «: Erem Te yo) when M >* M’ (hnf). 


(PA) ((M,a) = (E,a ~ 0) : Ep, ($a œ a) = Eo yp, 0) > ((E[M], a) = Ep, Eo, YP, 10) 
with M a hnf and a € dom(yp). 


(OA) ((e,a~ a) = Ep, (M,a) = (E, a ~ 8) = Eo, yP, y0) “SS (Ep, (E[M], 8) : E0, YP, 70) 
with M a hnf and a € dom(yo). 

(PQ) ((E[cMi Mn], a") = Ep, E0, yP, Yo) 
aA —> ((E,a~ a’) = Ep, (MG,a) =: E0,1P Y's Yo) when a’ PA yo(c) = (M, 6), 
ext(0) =(m,.. 17m 8) and ((a1,.. 14m); a 'a)e AVal(( M, T1), . ., (M2, Tn), Ey: 

(OQ) (Ep, (Elen: Mn], 0) : Eo, yP, 70) > (Ma, a) # Ep, (E, ante £0,7P,70"7') 
when @ = a’ € dom(yp) or 0 a closed type with empty support, with yp(c) = (M,8@), 
ext(0) = (T1, =, Tm, €) and ((a1,...,@n), y, a) € AVal( (M1, 71), =, (M2, Tn), €). 


Fig. 5. Composite LTS. 


and a context. The term-part in the interaction is played by Ep and yp, while the 
context-part by Eo and yo. As with ordinary configurations, we define an LTS 
for composite ones in Fig. 5. Given a composite configuration C, a trace T and a 
value v (hnf with empty support) we write C |r, when C 4 (9, [(v,0)], YP; Yo): 

Composite configurations allow us to compose a term and a context seman- 
tically: we essentially play the traces of one against the other. Another way to 
obtain a composite semantics is to work syntactically, i.e. by composing config- 
urations and then executing the resulting term. This is defined next. 


Definition 22. Given two evaluation stacks (Ep, Eo), we build their merge 
(which may not always be defined) Ep||Eo inductively by Q||[(M,0)] = M and: 


((M, a) :: Ep)||((E, a ~ 8) :: Eo) = Ep||((E[M], 0) :: Eo) 
((E,a ~ 0):: Ep)||((M, a) :: Eo) = ((E[M], 0) :: Ep) ||Eo 


When it is defined, we say that Ep,Eo are compatible. Then, a composite 
configuration C = (Ep, Eo, Yp, yo) is legal when (Ep,E€o) are compatible and 
when both (Ep, yp,snd(yo)) and (Eo, yo,snd(yp)) are legal. 


We now relate the reduction of a composite configuration with the head 
reduction of the merge of its two evaluation stacks. First, taking the two envi- 
ronments yp, yo of a legal ens configuration, we compute their closure 
(yp: Yo)* as follows. Setting 7° = fst(yp - yo), and T = {(a, M{y}) | (a, M) € 

#71} (i > 0), there is an integer n such that v(cod(y")) = Ø. We write (yp-yo)* 
fox the environment defined as y”, for the least n satisfying this latter condition. 


Theorem 23. Given a legal composite configuration C = (Ep, Eo, YP, Yo), then 
C Yr, iff (Ep||Eo (ye - Yo)*} >* v- 


Finally, we relate the LTS’s for composite configurations and ordinary config- 
urations (Theorem 26). Combined with Theorem 23, this gives us a correlation 
between the traces of two compatible configurations and the head reduction we 
obtain once we merge their evaluation stacks. 
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Definition 24. Given legal configurations Cp = (€p,yp,¢p) and Co = 
(Eo, yo, ĝo), we say that they are compatible when Ep,€o are compatible, 
snd(yp) = ġo and snd(yo) = ¢p. For each pair (Cp,Co) of compatible con- 
figurations, we define their merge Cp ACo as the composite configuration 
(Ep, E0, YP; Yo): 


Lemma 25. Taking (Cp,Co) a pair of compatible configurations, CpMCo |r.» 
iff Cp Wr and Co Ẹri w- 


Theorem 26. Given Cpi,Cp2,Co such that Cpi,Co and Cp2,Co are pair- 
wise compatible and Tr(Cp1) = Tr(Cp2), if CpiACo Irv, then Cp2%\Co Vrv- 


Proof. From Lemma 25 we get Cp; 4r and Co riw. Thus, T € Tr(Cp1) 
and hence T € Tr(Cp 2). Lemma 16 then yields Cp2 |r and, from Lemma 25, 
Cp2\Co Ir v- 


4.3 Proof of Theorem 5 


Theorem 5 follows from Theorems 21 and 28. Theorem 28, which is proved 
below, shows that any trace equivalent terms are also Reynolds equivalent. This 
is achieved as follows. In the previous section we saw how to relate reductions 
of terms-in-context to the semantics of terms and contexts. Given terms M1, Mo 
which are trace equivalent, and fully applying them to related arguments, we 
obtain head reductions to values. These reductions can be decomposed into LTS 
reductions producing corresponding traces, for the terms and their argument 
terms (which form contexts). But, since the terms are trace equivalent, M2 can 
simulate the behaviour of Mı in the context of Mı, and that allows us to show 
that the two composites reduce to the same value. 

We start by extending logical relations to extended types with empty support. 
We define R[ext(9)]5 by: 


RIX) = {R | 6(X) = (- -, R)} 
RIO: Ls = {(M1, Ni): L | (M1, N1) E RIO] AL’ € RIL] 5} 
RIVX :: L]s = { (01,02): L’ | (01,02, R) € RelA L € RIL] 5.(x.4(6,,62,R)] } 


Lemma 27. (Mı, M2) € R[6]s iff for all ((Ni, N3),...,(NE,N3),R) € 
Rext(O)]5, (M1 N1 --- Ñ?, MaN2.-- NP) € R. 


Theorem 28. For all trace equivalent A;r F Mı, Mə : 0, we have that 
Mı log Mə. 


Proof. Taking 6 € RJA] and (m,n) € R|I]s, we show (Miı{m Hô}, 
M2{n2}{62}) € RJO]s. Using Lemma 27, we take ((N}, Ñ21),..., (N7, N3), R) € 
Rlext(0)]s5, and prove that (Mı{m Hó} NI ---N?, Ma{na H2} N1 --- NB) € R. 

For each i € {1,2}, there exists a value v; s.t. Mi{m}{O;}N} -Ñr —* 
vi. Using the closure of R w.r.t. =g,, it suffices to show that (v1, v2) € 
R. Suppose A = Xı,...,Xķ and I = zı : O4,...,%m : Om. We write 
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Cp, for the configuration (A;r F Mi; : 0), and Co, for the configura- 
tion (cind;(X1) +++ Sil Xp) (21) lam) Å} -ÑP e, [Cm = 0l), where 9 = 
YX. ...VXn-01 >- Om > 8. 

From Theorem 23, for each i € {1,2} there is a trace T; such that 
Cpi N Coi VT v: Mı, M2 being trace equivalent, we have that Tr(Cpi) = 
Tr(Cp2). So from Theorem 26, we get that Cp 2 /A Co, ẸŲT,w, and from 
Theorem 23 that Mə{m H61} N] --- Ñr —* vı. Finally, from Theorem 2, we 
get that (Moin Hó} N} rs - Ñ}, M2{n2 {82} N1 aa NB) E R. Thus, using the 
closure of R w.r.t. =gy, we have that (v1, v2) € R. 


5 Related and Future Work 


The literature on parametric polymorphism is vast; here we look at the works 
closest to ours, which come from the game semantics area. The first game model 
for System F was introduced by Hughes [9,10]. The model is intentional, in the 
sense that it is fully complete for Bn-equivalence. Starting from that model, de 
Lataillade [5,6] characterised parametricity categorically via the notion of dinat- 
urality [4]. In [2], Abramsky and Jagadeesan developed a model for System F 
to characterise genericity, as introduced by Longo et al. [17]. A type @ is said to 
be generic when two terms M1, Mə of type VX.0’ are equivalent just if M10 and 
M20 are equivalent. Their model contains several generic types. More recently, 
Laird [15] has introduced a game model for System F augmented with mutable 
variables. His model is closer to ours than the previous ones, and in particular 
his notion of copycat links can be seen as connected to the use of names for 
parametricity. 

In all of the above models the denotation of terms is built compositionally by 
induction on the structure of the term. In a different line of work, closer in spirit 
to our model, Lassen and Levy [16] have introduced normal form bisimulations 
for a language with parametric polymorphism. These bisimulations are defined 
on LTSs whose definition has similarities with ours. However, the model is for 
a CPS-style language which has not only polymorphic but also recursive types. 
Finally, our own model for a higher-order polymorphic language with general 
references [13] can be seen as a direct precursor to this work, albeit in a very 
different setting (call-by-value, with references). 

Further on, we would like to study the existence of generic types in our model, 
as well as its dinaturality properties. We would moreover like to examine coarser 
notions of trace equivalence that bring us closer to Reynolds polymorphism. 
Finally, we would like to see if the trace model can be used to prove the original 
conjecture of [1,20]. While this seems plausible in principle, proving equivalences 
using definable logical relations requires additional tools, such as restrictions on 
the LTS, to avoid circular reasoning. 
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Abstract. The purpose of this paper is to define in a clean and concep- 
tual way a non-deterministic and sheaf-theoretic variant of the category 
of simple games and deterministic strategies. One thus starts by associat- 
ing to every simple game a presheaf category of non-deterministic strate- 
gies. The bicategory of simple games and non-deterministic strategies is 
then obtained by a construction inspired by the recent work by Melliés 
and Zeilberger on type refinement systems. We show that the resulting 
bicategory is symmetric monoidal closed and cartesian. We also define 
a 2-comonad which adapts the Curien-Lamarche exponential modality 
of linear logic to the 2-dimensional and non deterministic framework. 
We conclude by discussing in what sense the bicategory of simple games 
defines a model of non deterministic intuitionistic linear logic. 


1 Introduction 


S 


Check for 
updates 


A new generation of 2-categorical and sheaf-theoretic game semantics is currently 
emerging in the field of programming language semantics. The games and strate- 
gies which determine them are more sophisticated mathematically, and also more 
difficult to define rigorously, than they were in the deterministic case. For that 
reason, it is timely to examine more closely the 2-categorical and sheaf-theoretic 
frameworks available to us in order to formulate these games and strategies in 
a suitably clean and conceptual way. In this investigation, one benefits from the 
efforts made in the past twenty-five years to give a clearer mathematical sta- 
tus to the previous generation of game semantics, which was (to a large extent) 
based on the notion of arena game. We recognize three main lines of work here: 


1. 


© The Author(s) 2018 
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the logical approach advocated by Girard, and formulated in ludics [3], polar- 
ized linear logic [7] or tensorial logic [12] with its connection to continuations 
and string diagrams, 
. the combinatorial approach advocated by Hyland, inspired by algebraic topol- 
ogy, and based on the combinatorial description of the structure of pointers 
in arena games [4], 
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3. the concurrent and asynchronous approach advocated by Melliès, based on 
the description of arena games as asynchronous games, and of strategies as 
causal concurrent structures playing on them, either in an alternated [9-11] 
or in a non-alternated way [18]. 


Interestingly, all the sheaf-theoretic frameworks designed for game seman- 
tics today are offsprings of the third approach based on asynchronous games: 
on the one hand, the notion of concurrent strategy in [19] is a sheaf-theoretic 
transcription of the notion of receptive ingenuous strategy formulated in [18]; on 
the other hand, the sheaf-theoretic notion of non-deterministic innocent strat- 
egy in [13,17] relies on the diagrammatic and local definition of innocence in 
alternated asynchronous games [11]. For that reason, our purpose in this paper 
is to investigate the connection with the second approach, different in spirit and 
design, and to define a bicategory of simple games and non-deterministic strate- 
gies in the sheaf-theoretic style of Harmer et al. [4]. As we will see, our work 
also integrates a number of elements coming from the first approach, and more 
specifically, the discovery by Melliés that strategies are presented by generators 
and relations, and for that reason, are prone to factorisation theorems [14,15]. 
Since we are interested in sheaf-theoretic models of computations, we should not 
forget to mention the pioneering work by Hirschowitz and Pous on models of 
process calculi [5], and its recent connection to game semantics [2]. 

In the present paper, we start from the category 9 of simple games and 
deterministic strategies between them, and we explain how to turn G into a 
bicategory 5 of simple games and non-deterministic strategies. As we will see, 
the construction of $ relies on the discovery of a number of elementary but 
fundamental fibrational properties of the original category 9. Since our work is 
built on [4], let us recall that a simple game A is defined there as a contravariant 
presheaf A : w°? — Set over the order category w = 0 —> 1— 2 — --- associated 
to the infinite countable ordinal w. A simple game A is thus a family of sets Ay, 
together with a function Tn : An4+1 — An for all n € N, depicted as: 


Aga Ace Ap 4 +a & Ay = Anti ~ = 


One requires moreover that Ao is the singleton set. The intuition is that A is 
a rooted tree; that An contains its plays (or branches) of length n; and that 7, 
is the prefix function which transports every play of length n + 1 to its prefix of 
length n. In particular, every simple game A contains only one play of length 0, 
which should be thought as the empty play. Every simple game A should be 
moreover understood as alternating: here, the intuition is that every play of odd 
length 2n + 1 ends with an Opponent move, and that every play of even length 
2n ends with a Player move if n > 0. 


Terminology: An element a € A,, is called a position of degree n in the game A. 
The position a € A, is called a P-position when its degree n is even, and a O- 
position when its degree n is odd. Given a position a E€ An+1, we write 7(a) for 
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the position mn (a); similarly, given a position a € An+2, we write m? (a) for the 
position Tn ° nn+1(a). A simple game A is called O-branching when the function 
T : Åən+2 > Agn+1 is injective, for all n € N. This means that every Opponent 
position a € A2n+1 can be extended in at most one way into a Player position 
b E€ Aons+e, for all n € N. 

We start the paper by formulating a sheaf-theoretic notion of non- 
deterministic P-strategy on a simple game A. Recall that a deterministic P- 
strategy o of a simple game A is defined in [4] as a family of subsets ogn C Aon 
of P-positions, satisfying the following properties, for all n € N: 


(i) Unique empty play — vo is equal to the singleton set Ao, 
(ii) Closure under even prefixes — if a € Ozn+2 then n?(a) € dan, 
(iii) Determinacy — if a,b € o2, with m(a) = m (b), then a = b. 


In order to generalize this definition to non-deterministic P-strategies, we find 
convenient to consider the full subcategory wp of w consisting of the strictly 
positive even numbers, of the form 2n for n > 0; and the inclusion functor 
Lp : wp — w. Define the presheaf Ap = A o ¿p as the simple game A obtained 
as the restriction of the presheaf A: w°? — Set to the subcategory wp: 


A , Set 


L 
Ap = Wp > wP 


The collection Ap thus consists of all the Player positions in A, except for 
the initial one x € A(0). This leads us to the following definition of (non- 
deterministic) P-strategy on a simple game A: 


Definition 1. A P-strategy o on a simple game A is a presheaf S : wp — Set 
over the category wp together with a morphism of presheaves o : S > Ap. We 
write o : A in that case. The presheaf S is called the support of the strategy o 
and the elements of Son are called the runs of degree 2n of the strategy, for n > 0. 


In other words, a P-strategy o on A is a family of sets Sən indexed by strictly 
positive numbers n > 0, related between them by functions (7p)en : S2n+2 > Sn 
pictured as: 


T T: 
So 1 Sa 4 ae’ Sen <—— Sante — 


together with a family of functions a2, : Se, — An making the diagram below 
commute, for all n > 0: 


Tp 
Son < Son+2 


van ean 


T T 
Aon e Aon+1 o An+2 
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To every simple game A, we associate the category P(A) of P-strategies 
over A, defined as the slice category 


P(A) = [w? , Set] / Ap (1) 


whose objects are thus the strategies over A, and whose morphisms 0 : o > T 
between two strategies 0: S — A and T : T — A are the morphisms 0: S > T 
of presheaves satisfying the expected equation: ø = T o 0. We will call those 
simulations. One main contribution of the paper is the observation that the 
family of categories P(A) can be organised into a pseudofunctor 


P:G — Cat 


from the category 9 of simple games and deterministic strategies. The pseudo- 
functor P is moreover monoidal, in the sense that there exists a family of functors 


MAB: P(A) x P(B) — P(A Q B) 


indexed by simple games A, B. As a symmetric monoidal closed category, the 
category J is enriched over itself, with the simple game 9(A, B) = A — B 
constructed from the simple games A and B. Here comes the nice point of the 
construction: the bicategory $ is simply defined as the bicategory with simple 
games A, B as objects, and with 


8(A, B) = P(A — B) 


as category of morphisms between two simple games A and B. In other words, 
a morphism ø : A — B in 8 is a P-strategy o : A — B, and a 2-cell 0 : 
o = T: Á — Bisa morphism 6: ø > 7 in the category P(A — B). At this 
point, the fact that $ defines a bicategory is easily derived from the lax monoidal 
structure of the pseudofunctor P. Recall that, as a symmetric monoidal closed 
category, the category G is enriched over itself. From a conceptual point of view, 
the construction of the bicategory $ thus amounts to a change of enrichment 
category along the lax monoidal pseudofunctor P : 9 — Cat, transforming the 
G-enriched category 9 into the (weak) Cat-enriched category 8. 

Besides the construction of $, a great care will be devoted to the analysis of 
the Curien-Lamarche exponential comonad ! on the category 9 and to the recipe 
to turn it into an exponential 2-comonad on the bicategory $. The construction 
relies on the existence of a family of functors 


pa : P(A) — PIA) 


called “promotion” functors, and natural in the simple game A in the category J. 
In particular, the functorial part of the exponential 2-comonad ! : 8 — & is 
defined as the composite: 


P(A — B) 4E, pa As B)) AB) 


where n4,p : (A — B) — !A — !B is the canonical morphism in § which pro- 
vides the structure of a lax monoidal functor to the original comonad ! : 9 > 9. 


PC 
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2 Non-deterministic P-strategies as P-cartesian 
Transductions 


As explained in the introduction, a P-strategy o € P(A) over a simple game A 
is defined as an object of the slice category (1) in the category [w??, Set] of 
contravariant presheaves over wp. We will use the fact that the slice category is 
equivalent to the category of contravariant presheaves 


P(A) = [we , Set]/Ap = [tree(Ap)°?, Set] 


over the Grothendieck category tree(Ap) generated by the presheaf Ap € 
[we , Set]. The category tree(Ap) has the P-positions of the simple game A 
as objects, and a morphism a — a’ between a E€ Ag, and a’ € Aggy precisely 
when p < q and 774~??(a’) = a. In other words, it is the order category associ- 
ated to the tree of P-positions of the simple game A. 

We find convenient for later purposes to reformulate non-deterministic P- 
strategies in the following way. This paves the way to a comprehension theorem 
for the pseudofunctor P, which will be established in the next section. A trans- 
duction 0 : A — B between two simple games A, B : w°? — Set is defined as 
a natural transformation between the presheaves A and B, given by a family of 
functions 0,,: A, — Bn making the square O, diagram below commute, for all 
n EN: 


Tn 
Ay e Anti 


o| i [oms 


Bn a Bhai 


A transduction 0 : A — B is called P-cartesian when Oon is a pullback 
square for all n € N; and O-cartesian when Oən+1 is a pullback square for all 
n € N. We write J for the category of simple games and transductions between 
them, and Tp (resp. Jo) for the subcategory of P-cartesian (resp. O-cartesian) 
transductions. Note that the restriction functor 


(-)p : [w?,Set] —  [w??, Set] 


is a fibration, and that a transduction 6 : A — B between simple games is 
P-cartesian precisely when it defines a cartesian morphism with respect to the 
fibration (—) p. For that reason, a P-cartesian transduction 0 : A — B is entirely 
characterized by the family of functions 02, : A2n —> Bən on the P-positions 
of the simple games A and B, for n € N. From this follows easily that 


Proposition 1. A P-strategy o on a simple game A is the same thing as a 
simple game S together with a P-cartesian transduction S — A. The simple 
game S is uniquely determined by o up to isomorphism. It is called the support 
(or run-tree) ofo, and noted {A| o}, while the P-cartesian transduction is noted 
supp, : {A| o} — A. 
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Note that the definition applies the general principle formulated in [18] that a 
strategy o of a game A is a specific kind of map (here a P-cartesian transduction) 
S — A from a given game S = {A|o} to the game A of interest. One benefit 
of this principle is that it unifies the two concepts of game and of strategy, by 
regarding a strategy o of a game A as a game S “embedded” in an appropriate 
way by S — A inside the simple game A. This insight coming from [18] underlies 
for instance the construction in [19] of a category of non-deterministic strategies 
between asynchronous games. 

Typically, consider the simple game A = Bı — Bz where B is the simple 
boolean game with a unique initial Opponent move q and two Player moves 
tt for true and ff for false; and where the indices 1,2 are here to indicate the 
component of the boolean game B. The simple game A may be represented as 
the decision tree below: 


Player F 
Opponent A 
Player Az 
Opponent k 
Player baa A 


where the sets of positions are defined as: 
A ={a} Ag={b,a1,a2} A3 = {b1,b2} Aa = {b11, b12, b21, b22} 


and where the branches are induced by the prefix functions mn : Anti > An 
depicted on the picture above. For the reader’s convenience, we label every edge 
of A by the name of the move which would be used in the more familiar definition 
of simple games, where plays are defined as sequences of moves [1,6]. Note that 
every position a € A,, of degree n is determined by its occurrence, defined as the 
sequence of n moves from the root x to the position a in the tree A. Typically, 
the P-position b € Ag has occurrence q2 qı and the P-position b21 € A4 has 
occurrence qo - qı - tt - fo. 


By way of illustration, we define the P-strategy o € P(A) as the presheaf below 


xr {x} a arr {2"} 
bes {a} bim bgm ba m {2} dag > {2", 2} 


on the Grothendieck category tree(Ap) associated to the presheaf Ap of P- 
positions in A. As explained in Proposition 1, the P-strategy o may be equiva- 
lently defined as the simple game S = {A | o} below 
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Player A 
Opponent Sx 
Player s. 
Opponent a 
Player A 


together with the P-cartesian transduction supp, : {A |c} — A described as: 
crea cred aw” = az yr bi z! = bal z” = b22 z”! m= bee 


It is worth mentioning that the transduction supp, may be recovered from 
the moves labelled on the run-tree S = {A |o}. This pictorial description pro- 
vides a convenient way to describe how the non-deterministic P-strategy o plays 
on A. Typically, when questioned by the initial move q2 of the game, the non- 
deterministic P-strategy ø answers ttz with the run z” € S2 or asks the value of 
the input boolean by playing the move qı; when the Opponent answers with the 
move tt,, the P-strategy reacts by playing the value ffo with the run z’ € S4 or 
by playing the value ffọ with the runs 2”, z’’”” € S4. Note in particular that the 
P-strategy o is allowed to play two different runs 2”, z” € S4 of the same play 
b22 € Ag. 


3  P-cartesian Transductions as Deterministic Strategies 


In the previous section, we have seen how to regard every non-deterministic P- 
strategy o € P(B) as a P-cartesian transduction supp, : {B |o} —> B into the 
simple game B. Our purpose here is to show that every P-cartesian transduction 
0 : A — B can be seen as a particular kind of deterministic strategy of the simple 
game A — B. 


Definition 2 (Total strategies). A deterministic strategy o of a simple game 
A is total when for every O-position s such that the P-position m(s) is an element 
of o, there exists a P-position t in the strategy o such that n(t) = s. 


Definition 3 (Back-and-forth strategies). Given two simple games A 
and B, a back-and-forth strategy f of the simple game A — B is a deterministic 
and total strategy whose positions are all of the form (c,a,b) where c : n —> n is 
a copycat schedule. 


Back-and-forth strategies compose, and thus define a subcategory of S: 


Definition 4 (The category BF). The category BF of back-and-forth strate- 
gies is the subcategory of G whose objects are the simple games and whose mor- 
phisms f : A— B are the back-and-forth strategies of A — B. 
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As a matter of fact, we will be particularly interested here in the subcategory 
BF” of functional back-and-forth strategies in the category BF. 


Definition 5 (Functional strategies). A functional strategy f of the simple 
game A — B is a back-and-forth strategy such that for every position a € Ay 
of degree n in the simple game A, there exists a unique position b € Bn of same 
degree in B such that (c,a,b) E€ f, where c:n— n is the copycat schedule. 


The following basic observation justifies our interest in the notion of func- 
tional strategy: 


Proposition 2. For all simple games A, B, there is a one-to-one correspon- 
dence between the P-cartesian transductions A — B and the functional strategies 
in A — B. 


Proof. See Appendix E. 


For that reason, we will identify P-cartesian transductions and functional strate- 
gies from now on. Put together with Proposition 1, this leads us to the following 
correspondence, which holds for every simple game A: 


Proposition 3. The category P(A) is equivalent to the slice category BF*/A. 


The result may be understood as a preliminary form of comprehension: it states 
that every non-deterministic P-strategy o € P(A) may be equivalently seen as 
a functional P-strategy 


supp, : {Alo} — A (2) 


in the category J of simple games and deterministic strategies, obtained by com- 
posing the equivalences stated in Propositions 1 and 3. Note that the simple game 
{A|o} coincides with the run-tree S of the non-deterministic strategy o formu- 
lated in Proposition 1 and that the functional strategy supp, coincides with the 
P-cartesian transduction which “projects” the support S on the simple game A. 
The property (Proposition 3) is important from a methodological point of view, 
because it enables us to use the rich toolbox developed for simple games and 
deterministic strategies, in order to handle non-deterministic strategies inside 
the category 9. 


4 The Pseudofunctor P 
Suppose given a P-strategy o € P(A) over the simple game A and a morphism 
f :A-— B in the category 9. 


Definition 6. The P-strategy P(f)(o) € P(B) over the simple game B is 
defined as the contravariant presheaf over tree(Bp) which transports every P- 
position b of the simple game B to the disjoint union defined below: 


P(e) : b me I] œa. (3) 
(e,a,b) ef 
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The fact that (3) defines a presheaf over P(B) and that P is a pseudofunctor 
(see Definition 24) is established in the Appendix F. 

This construction equips the family of presheaf categories P(A) with the 
structure of a pseudofunctor P : G —>+ Cat. Moreover, the pseudo-functor P 
has comprehension in the sense of Lawvere [8]. For every simple game B, the 
comprehension functor is defined as the composite 


{B|-} : PXB) — BFt/B — G/B 


which transports every non-deterministic P-strategy to the morphism (2) seen 
as an object of §/B. One establishes that 


Theorem 1 (Comprehension). For every simple game B, the comprehension 
functor 


{B|-} : PB) — $/B 
has a left adjoint functor 
image : G/B —> PB). 


Given a deterministic strategy f : A — B, the contravariant presheaf image(f) 
over the category tree(Bp) transports every P-position b of the game B to the 
set below: 


image(f) : b + { (ea) | eanes } 
Note that the presheaf image( f) may be also described by the formula 
image(f) = P(f)(ta) € PB) 


where * 4 is the terminal object in the category P(A) of P-strategies over A. Note 
that the run-tree {A|*4} of the P-strategy x4 € P(A) is the simple game A 
itself, with supp,,, the identity i4 : A — A. In other words, the P-strategy *4 
has exactly one run over each position of the simple game A. 

Also note that we will occasionally note positions of image(f) b(e,a) when 
there is need to emphasize the fact that image(f) is a contravariant presheaf 
over tree(Bp). 


5 The Slender-Functional Factorisation Theorem 


In order to establish the comprehension theorem, we prove a factorization theo- 
rem in the original category 9, which involves slender and functional strategies. 


Definition 7. A deterministic strategy f in a simple game A — B is slender 
when for every P-position b in the simple game B, there exists exactly one P- 
position a of the simple game A and exactly one schedule e such that (e, a,b) € f. 
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By extension, we say that a morphism f : A — B in the category G is 
slender when the deterministic strategy f is slender in A — B. Note that every 
isomorphism f : A — B in the category 9 is both slender and functional. 


Proposition 4. Suppose that A and B are two simple games and that f is a 
deterministic strategy of A — B. Then, there exists a slender strategy g : A— C 
and a functional strategy h : C — B such that f = hog. 


The simple game C is defined as {B |image(f)} while the slender strategy g : 
A — C is defined as 


g = { (e, a, (e, a, b)) (e,a,b) E€ f \ 


and h : C — B is the functional strategy Supp image(f) associated in Proposition 3 
to the P-strategy image(f) € P(B). 


Proposition 5. Suppose that s: U > V and f : A > B are two morphisms 
of the category 9. Suppose moreover that s is slender and that f is functional. 
Then, s: X — Y is orthogonal to f : A— B in the sense that for all morphisms 
u: X — Aandv: Y — B making the diagram (a) commute, there exists a 
unique morphism h : Y — B making the diagram (b) commute in the category 9: 


u 


X “>A X “>A 

(a) | hr (b) | a f 
4 

Y —> B Y —> B 


The deterministic strategy h : Y — A is defined as 


ia { (e, y, a) | 3x € X,b € B,e',e" ET, 


(e,y,b) Ev A(c,a,b) E f A(e', x,y) Es A (e",2,a)€u \ 
de € X,b € B,e’,e” ET, 


(e,y,b) Ev A (ca, b) E f A (e',2,7y) Es A (e,z, 7a) Eu \ 


Note that the position b is uniquely determined by the position a because f 
is functional, and that the pair (e’, x) is uniquely determined by the position y 
because s is slender. Moreover, by determinism of u = ho s, the schedule e” is 
entirely determined by the schedules e and e’. 


Theorem 2 (Factorization theorem). The classes S of slender morphisms 
and F of functional morphisms define a factorization system (S,F) in the cat- 
egory 9. 
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It is a folklore result that, in that situation, the comprehension theorem (The- 
orem 1) follows from the factorization theorem. The reason is that the category 
P(B) is equivalent (by Proposition 3) to the full subcategory B¥*/B of func- 
tional strategies in the slice category 9/B. Seen from that point of view, the 
comprehension functor {B |—} coincides with the embedding of B¥*/B into 
G/B. It is worth noting that for every P-strategy o € P(A), one has an isomor- 
phism 


x 


o œ= image(supp,) 


in the category P(A), and that one has an isomorphism 


P(f)\(o) = image(f o supp ,) (4) 


in the category P(B), for every morphism f : A — B in the category 9. This 
provides an alternative way to define the pseudofunctor P. 


6 The Bicategory S of Simple Games 
and Non-deterministic Strategies 


In this section, we explain how to construct a bicategory 8 of simple games and 
non-deterministic strategies, starting from the category 9. The first step is to 
equip the pseudofunctor P with a lax monoidal structure (See Definition 25), 
based on the definition of tensor product in the category § formulated in [4], see 
Appendix B for details. We start by observing that 


Proposition 6. Suppose given two morphisms f : A— B andg:C— D in 
the category 9 of simple games and deterministic strategies. The morphism 


f®g:A®2C—BeD 
is slender when f and g are slender, and functional when f and g are functional. 
Proof. See Appendix G. 


Note that the isomorphism image(f ® g) = image( f) ® image(g) follows immedi- 
ately from this statement and from the factorization theorem (Theorem 2), for 
every pair of morphisms f : A — B and g : C — D in the category 9. The 
tensor product o ® T of two P-strategies o and 7 is defined in the same spirit, 
using comprehension: 


Definition 8. Suppose that o € P(A) is a P-strategy of a simple game A and 
that tT € P(B) is a P-strategy of a simple game B. The tensor product o QT is 
the P-strategy of the simple game A® B defined as 


aT = _ image(supp, @ supp, ). 
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Here, the morphism supp, Q supp, : {A|o} @{B|7} — AQ B denotes the 
tensor product (computed in the original category 9) of the morphisms supp, 
and supp,. A direct description of o & r E€ P(A® B) is also possible, as the 
presheaf which transports every position (e,a,b) of the simple game A ® B to 
the set-theoretic product below: 


o@T : (e,a,b) + o(a)x7(b). 


As indicated in the introduction, the tensor product of P-strategies defines a 
family of functors ma,p : P(A) x P(B) — P(A ® B) which, together with the 
isomorphism of categories mı : 1 — P(1), equips the pseudofunctor P with a lax 
monoidal structure: 


Theorem 3. The pseudofunctor P equipped with the family of functors m4,B 
and mı defines a lax monoidal pseudofunctor from (9,8,1) to (Cat, x,1). 


Proof. See Appendix H. 


The bicategory $ of simple games and non-deterministic strategies is deduced 
from the lax monoidal pseudofunctor P in the following generic way, inspired by 
the idea of monoidal refinement system [16]. 


Definition 9. The bicategory S has simple games A, B, C as objects, with the 
hom-category 8(A, B) defined as 


8(A,B) = ẸP(A— B) 
the composition functor 


o4.B.c : P(B — C) x P(A — B) P(A — C) 


defined as the composite 


m B—C,A—B 


3 P((B — C) @ (A — B)) 


P(compA,B, e) 


P(B — C) x P(A — B) P(A —= C) 


where compa,p,c : (B — C) ® (A — B) — (A — C) is the morphism which 
internalizes composition in the symmetric monoidal closed category 9. In the 
same way, the identity in P(A — A) is defined as the composite 


P(ida) 


+ P(A — A) 


where the morphism id, : 1 — (A — A) internalizes the identity morphism in 9. 


Proposition 7. The bicategory & is symmetric monoidal closed in the sense 
that there exists a family of isomorphisms 


anc : S(A@B,C) = 8(B,A-~C). 
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The isomorphism ®4,g,c is defined as the image by the pseudofunctor P of the 
isomorphism 


yas : (A@B)-~C = B—(A—C) 


in the category G between the underlying simple games. One benefit of our 
conceptual approach is that the monoidal closed structure of 8 is neatly deduced 
from the monoidal closed structure of the original category 9. 


7 The Exponentional Modality on the Category 9 


Now that the monoidal bicategory S has been defined, we analyze how the expo- 
nential modality defined in [4] adapts to our sheaf-theoretic framework. 


Definition 10. Let A be a simple game. !A is the simple game whose set (!A)n 
of positions of degree n consists of the pairs (ġ,a) such that: 


— ¢ is a O-heap over n and a = (a1,...,an) is a sequence of positions of A, 
- for each k € {1,...,n}, the sequence of positions in a = (a1,...,@n) corre- 
sponding to the branch of k in @ defines a play 


Tak; Apk) p2 (k); } 
of the simple game A. 


The predecessor function Tn : (!A)nzi —> (!A)n is defined as 1(¢,@) = (¢ Ì 
(n),@ | (n)). 
Definition 11. Let f be a deterministic strategy of A — B. The deterministic 
strategy !f of !A — !B consists of the positions (e,(@,@), (w,b)) such that ¢ = 
e*w and, for each branch of (¢,e,7), the positions associated to that branch are 
played by f. 


It is worth observing that the construction of !f :!A — !B can be decomposed 
in the following way. Consider the morphism 


nap : !(A— B) > !A —!B 


obtained by currying the composite morphism 


I(A — B) g l4 one (Ae B) g A) et , | p 


in the symmetric monoidal closed category 9, where we use the coercion mor- 
phism which provides the exponential modality ! : 9 — 9 with the structure of 
a lax monoidal functor. 
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Definition 12 (#/f). Given a deterministic strategy f of a simple game A, the 
deterministic strategy #f of the simple game !A has positions the pairs (¢,@) 
such that for each branch of (¢,@), the positions associated to that branch are 
played by the deterministic strategy f. 


Proposition 8. Given a morphism f : A — B of the category G and its curried 
form Xa.f : 1 —> A — B, the composite morphism 


eee ey ys) pee 


is the curried form Ax :!A.!f in the category G of the morphism !f :!A — !B. 


More details about the original exponential modality in § will be found in 
Appendix C. By analogy with Proposition 6, we establish that 


Proposition 9. Suppose that f : A — B is a morphism in the category 9. 
Then, the morphism 


If : IA — IB 
is slender when f is slender, and functional when f is functional. 


Proof. See Appendix I. 


8 The Exponential Modality on the Bicategory & 


In this section, we define the linear exponential modality ! : 8 — & on the 
symmetric monoidal closed bicategory $, in order to define a bicategorical model 
of intuitionistic linear logic. The construction is inspired by the observation made 
in the previous section (Proposition 8). 


Definition 13. Given a P-strategy o € P(A) of a simple game A, the P-strategy 
#o of the simple game !A is defined as the image in P(!A) of the morphism 


!supp, : !{Alo} —> IA. 


Note that the definition of #0 induces a commutative diagram in the category 9 


I{A | o} isomorphism {1A|#o} 


i eo 
1A 
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where the top arrow is an isomorphism. Moreover, the definition of #0 coincides 
with the previous definition (Definition 12) when the P-strategy o = f hap- 
pens to be deterministic.Consequently, for two games A, B and a deterministic 
strategy f : A — B, we have image(!f) = #5image( f) and #5 f = #f. 

As mentioned in the introduction, this construction o ++ #o defines a 
functor 


pa : P(A) — PIA). 


Now, remember that a morphism ø : A — B of the bicategory S is defined as a 
P-strategy 


a € P(A — B). 
For that reason, every such morphism ø : A > B induces a P-strategy 
#0 € P(!(A — B)). 
In order to turn the P-strategy #o into a P-strategy 
lo € P(!A —!B) 
we apply the functor 
Pina) : P((A— B)) — ?P(!'A—!B) 


to the P-strategy #0, where 


nap : !(A— B) > !A —!B 


denotes the structural morphism of 9 defined in the previous section. The con- 
struction may be summarized as follows: 


Definition 14. The morphism !o :!A — !B of the bicategory S associated to 
the morphism o : A— B is defined as the P-strategy 


P(nap(#o) € P(A — !B). 


Theorem 4. With this definition, ! : S — S defines a pseudofunctor from the 
bicategory § to itself. 


Proof. See Appendix J. 
The family of morphisms 
d4:!A IA Eg :!A-A 


are defined with the same deterministic strategies in P(!A—o!!A) and 
P(!A — A) as in the original category 9. One checks that the families 6 and € 
define natural transformations between pseudonatural functors on 8 (as defined 
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in Definition 26), and that the 2-functor ! : 8 — 8 defines a 2-comonad in the 
appropriate bicategorical sense (see Definition 27). The family of morphisms 


da:!A>!A@!A ea: !A—1 


are defined with the same deterministic strategies in P(!A — !AQ!A) and 
P(!A — 1) as in the original category 9, and one checks that they define natural 
transformations between pseudonatural functors on 8. One obtains in this way 
that 


Theorem 5. The bicategory p equipped with the exponential modality !: S — S 
defines a bicategorical model of multiplicative intuitionistic linear logic. 


The formal and rigorous verification of these facts would be extremely tedious 
if done directly on the bicategory S of nondeterministic strategies. Our proof 
relies on the fact that the constructions of the model (Definitions9, 14) are 
performed by “push” functors P(f) above a structural morphism f living in the 
original category 9. The interested reader will find part of the detailed proof in 
Appendix K. 


9 Conclusion 


We construct a bicategory $ of simple games and non-deterministic strategies, 
which is symmetric monoidal closed in the extended 2-dimensional sense. We 
then equip the bicategory 5 with a linear exponential modality ! : 8 — $ which 
defines a bicategorical model of intuitionistic linear logic. This provides, as far 
as we know, the first sheaf-theoretic and non-deterministic game semantics of 
intuitionistic linear logic — including, in particular, a detailed description of the 
exponential modality. 


A The Category 9 of Simple Games and Deterministic 
Strategies 


We recall the construction of the category Y of schedules performed in [4] and 
how we deduce from it the category § of simple games and deterministic strate- 
gies. 

Definition 15 (Schedule). A schedule is defined as a function e : {1,...,n} > 
{0,1} verifying e(1) = 1 and e(2k + 1) = e(2k) whenever 1 < 2k < n— 1. The 
number of 0’s and 1’s in e are noted |e|o and |e|, respectively. A schedule e is 
noted e : |e|o — |el1. 


A schedule e : p > q may be equivalently seen as a couple l : (p) —> (p + q) and 
r : (q) — (p+ q) of order-preserving and globally surjective functions, such that 
r(1) =1 and 

i(i)odd > l(i+1)=L(i)+1 r(jjeven > r(j+1)=r(j)+1 
for all 1 <i < p— 1l and 1 < j < q — 1, where (n) stands for the finite ordinal 


(n) = {1,... n}. 
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Definition 16. The category of schedules Y has the natural numbers as objects, 
the schedules e : p — q as morphisms from p to q. 


The identity morphism c: p — p is the copycat schedule c characterized by the 
fact that c(2k + 1) 4 c(2k + 2) for all 1 < 2k < 2p. Details on the composition 
of two schedules e : p > r and e’ : r + q as a schedule e.e : p — q can be found 
in [4]. Now, we explain how we derive the category 9 from the category Y. We 
start by defining the simple game A — B of linear maps from A to B: 


Definition 17. The simple game A — B is defined as the set (A — B),, of all 
the triples (e,a,b) consisting of a schedule e : p > q with p+ q = n, a position 
a E€ A, and b € By. The predecessor function m is defined as 


_S(et(n—1), ma), b) i e(n)=0 
nlet) = 4 C I (n—1), a, (8) if e(n)=1 


Definition 18. The category G has simple games A,B as objects, and deter- 
ministic P-strategies f,g of A — B as morphisms from A to B. Note that we 
use latin letters instead of greek letters for deterministic strategies. The identity 
morphism ia : A — A is defined as the P-strategy of A — A whose positions 
of degree 2n are the triples (c,a,a) where c : n — n is the copycat schedule, 
and a € An. The composite go f : A — C of two deterministic P-strategies 
f:A— B andg: B— C is the deterministic P-strategy whose set of positions 
of degree 2n is defined as 


(g° fan = Il { (e.e',a,c) | 3b € Br, (e,a,b) € optr, (€',b,0) E Trta } 
e:por,e:r—q 
p+q=2n 


B The Tensor Product in the Category 9 


Definition 19 (Tensorial schedule). A @®-schedule is a function e 
{1,...,n} — {0,1} verifying e(2k + 1) = e(2k +2) whenever 0 < 2k < n — 2. 


Definition 20 (A @ B). The positions of the simple game A® B of degree n 
are the triples (e,a,b) where e : p®q is a ®-schedule with p+q=n,a€ Ap 
and b € By. The predecessor function n is defined as 


m(e,a,b) = i | (n — Re if e(n) = 


The simple game 1 is the simple game with a unique position x, of degree 0. 


We can also define & on strategies. Intuitively, for f : A — Band g: 
C — D two morphisms of the category S, the plays of the strategy f & g of the 
simple game (A @ C) — (B ® D) are obtained by combining through a tensorial 
schedule plays of f and g. 
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The intuition is that, once we know the structure of f and g, the struc- 
ture of plays of f © g is entirely directed by what happens in B & D. The only 
agency that Opponent really has is to decide at some points whether to play 
on B or D, the rest being handled by the plays of f, g and the structure of 
(A8 C) — (B & D). Formally, this gives the proposition: 


Proposition 10. Let f : A — B,g : C — D be two deterministic strategies. 
Assuming a valid play of f g: AQC — B&D and the associated schedules 
e: AQC > BƏD, tı: AxC,tz: BxD,eı: A—> B,eg: C — D, the knowledge 
of t2,€1,€2 is enough to reconstruct e and tı. 


Proof. The first O move of such a play is in B & D to follow the structure of 
A&C — B&D. This is given to us by tz. Let us assume it is a move in D (The 
other case is handled similarly). 

The P move after that will necessarily be a move in C or D, as playing a 
move in A, B would break the structure of A — B, B® D respectively. e2 gives 
us the information. 


— If it is a move in D, We go back to a situation equivalent to the initial one. 
We have also started to reconstruct e, which starts by 11. 

— If it is a move in C, we start to reconstruct both e which starts by 10 and tı 
which starts by 1. 


In this last case, the following O move will be a move in C as a move in 
A, B, D would break the structure of A — B, B & D,C — D respectively. e is 
then at 100 and t; at 11. 

Finally, the following P move will be a move in either C or D as a move in 
A, B would break the structure of A — B, B & D respectively. e> gives us this 
information. 


— Ifit is a move in D, We go back to a situation equivalent to the initial one. We 
have also started to reconstruct e, which starts by 1001 and tı which starts 
by 11. We’ve also played the first two moves of t2 which is at 11. 

— If it is a move in C, we go back to the precedent situation (the one with a 
fixed O move in C) with e at 1000 and tı at 111. 


To sum up the described construction, once an opponent move in B or D 
is played, the play is stuck playing in either A — B or C — D until a player 
move is played in B,D respectively. tə decides whether to play the opponent 
move in B or D and e; guides the play in A — B in the first case, e2 guides it 
in C — D in the second. This guides us through the whole play and allows us 
to reconstruct both e and tı. 

In particular, any compatible plays of f,g, B & D induce a play of f @ g. 


This proposition and its proof are key in several proofs we will make in the 
rest of the paper. 


Proposition 11. The category (9,8,1, —) is symmetric monoidal closed. 


Categorical Combinatorics for Non Deterministic Strategies 57 


C The Exponential Modality on the Category 9 


In this section, we recall the combinatorial structures introduced in [4] to con- 
struct the linear exponential comonad ! : § — J on the symmetric monoidal 
closed category 9. 


Definition 21 (Pointer function). A pointer function on n is a parity- 
reversing function 


@ : {1,... n} —> {0,...,n-—1} 


such that li) < i for alli. A pointer function ọ is called an O-heap if 
(2k) = 2k — 1 for all k, and a P-heap if ¢(2k + 1) = 2k for all k. The set 
{k, o(k), 67(k),...} will be called the branch of ọ associated to the integer k. 
Note that the predecessor function m defined as r(t) =i—1 for alli is both an 
O-heap and a P-heap. 


Definition 22. Suppose that e : p — q is a schedule, that ¢ is a O-heap over 
q and that w is a P-heap over p. The O-heap (¢,e,w) on p+ q is defined as 
follows: 


r(o(j)) if k=r(j) is odd 
(d,e,u)(k) = U(w(i)) if k= l(i) is odd 


k—1 otherwise 


where the schedule e is represented as a pair (l,r) as explained in Appendix A. 
Intuitively, the O-heap (¢,e,w) points alongside @ when the schedule e is at 1 
and alongside w otherwise. The fact that (d,e,w) defines an O-heap is ensured 
by the even case. 


We recall the partial order over the set of pointer functions introduced in [4]. 


Definition 23 (Generalization). Given two pointer functions ¢, p, we say 
that ġ is a generalization of y, and note o = wv, if the branch of ọ associated 
to k € {1,..,n} can be injected in the branch of ùy associated to k, or, in other 
words, if for all k, there exists j such that (k) = yÍ (k). 


Further in the paper, and in certain proofs, we will also need to look into the 
structure of !!A. Intuitively, positions of !!A are pairs (¢, u) where @ is a sequence 
of positions of !A and ¢ an O-heap. It is equivalent to another representation 
using only a sequence of positions of A: 


Proposition 12. A position (¢,7) of !!A is equivalent to (¢,w,@) with d= Y, 
w an O-heap, G a sequence of positions of A, verifying 


Vi, j € {1,... n}, (i Æ j) => Sh, agr (i) £ agr) 


The moves alongside the branches of y are then plays of the simple game A. 
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From this follows a description of the strategy 
"Wr : NA — + IB 
for a deterministic strategy f : A — B. The positions of !! f are of the form 


(e, ($, 0,2), (Y, b)) 
where e*¢! = ¢, e*W’ = w and each thread of (Y, e, 7) is a play of the strategy f. 


D Some Bicategorical Definitions 


In this section, we recall a few definitions required by our bicategorical setting. 


Definition 24. A pseudofunctor is a mapping between bicategories C and D 
where the usual functorial equations F( fog) = F(f)oF(g) and Fda) = Idpva) 
are only valid up to natural bijectue 2-morphisms in D. 


Definition 25. Let (C,®c,1c) and (D,®p,1p) be two monoidal bicategories. 
A lax monoidal pseudofunctor between them is given by: 


— a pseudofunctor F : C —> D 

- a morphism €: 1p > F(1¢) 

— for every pair of objects A,B € C, a natural transformation ua,B : F(A) 8p 
F(B) > F(A 8c B) 

satisfying the following conditions: 

— associativity: For every triple of objects A,B,C € C, the following diagram 
commutes: 


(F(A) @p F(B)) 8p F(C) 


F(A) 8p (F(B) 8p F(C)) 


F(A), F(B),F(C) 
LA, B@id onn] 
F(A 8c B) 8p F(C) F(A) 8p F(B @c C) 
HAQB, el nance | 
F((A &c B) &c C) - F(A &c (B &c C)) 
F(a% Bc) 


where the two morphisms a°,a? denote the associators of the two tensor 


products. 
— unality: For every object A € C, the following diagram and its right symmetry 
both commute: 


lp 8p F(A) F(1¢) Sp F(A) 


e@id 
| meal 
ra ___ rae @e ) 
where I° IP denote the left wnitors of the two tensor products. 
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Definition 26. Let F,G be two pseudofunctors between two bicategories C and 
D. A pseudonatural transformation @: F — G is given by: 


— for every object A of C, a morphism $(A) : F(A) > G(A) of D. 
— for every morphism f : A — B of C, a bijective 2— morphism (f) : 6(B)o 
F(f) = G(f) 0 oA) 


such that 
— @ respects composition of morphisms, meaning that we have an equivalence 
between 
(A) sG(f,9)) - (C) > G(g)) - (F(A) 3 6(9)) 
and 


ogo F) - (E(F, 9) > eC), 
both being 2-morphisms from 
o(C) o F(g) ° F(F) = G(g 0 f) o oA), 


where - is the vertical composition between 2-morphisms, <,> the two versions 
of the horizontal composition between a morphism and a 2-morphism, (also 
called whiskering), anf F(f,g) : F(g)o F(f) = F(go f) is the bijective 2- 
morphism coming from the pseudofunctor F. 

— respects the identity morphisms, meaning we have an equivalence between 


Lica)’ Eiaa P OA) 
and 
Riva) ` PA) <fa, < (ida) 
both being 2-morphisms from 
(A) o Flida) = 44) 


where Dota) : O(A) co tdp(a) = (A) is the left unitor coming from the bicate- 
gory D and ella : F(ida) > idpya) is the bijective 2-morphism coming from 
the pseudofunctor F. 

ġ is natural in the following sense: for every 2-morphism Y : f => g with 
f.g: A— B, we have an equivalence between 


plg) : F(Y) > (B) 


| 


and 


(A) 1G) - Of). 


Definition 27. A fully weak comonad G on a bicategory C is a pseudofunctor, 
along with pseudonatural transformations ô and € that satisfy the usual laws of 
a comonad up to natural bijectiive 2-morphisms in C. 
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E Proof of Proposition 2 


Proof. Let A, B be two games. 
Let o be a P-cartesian transduction between A and B. The associated deter- 
ministic strategy fə is simply given by: 


fa (2n) = {(c, a, o(a))|a € A(n)} 


This definition clearly gives a functional strategy, the determinism being given 
by the fact that ø is P-cartesian. 

Conversely, let f be a functional strategy of A — B. The associated P- 
cartesian transduction of is given by: 


of(2n)(a) =b s.t. (c,a,b) E€ f(4n) 


Such a b is unique by functionality of f. 


F Proof that P is a pseudofunctor 


Proof. First we need to complete the definition of P by detailling why, for f a 
deterministic strategy of A — B and ø a P-strategy over A, P(f)(o) is indeed 
a P-strategy over B, and thus a presheaf over tree(Bp). For this, we need to 
define the collection of projector functions Tən : P(f)(a)(2n) > P(f)(o)(2n — 2) 
as follows: 

For x € P(f)(o)(2n) over b (meaning x € P(f)(o)(b) and b € Bən), there 
exists by definition a unique e,a such that (e,a,b) € f and x € o(a). From this, 
we define: 

Tan (x) = m(x), (w**?(e), T (a), 73 (b)) € F. 

By determinism of f, there is only one such k. Moreover, we also have 
m¥(x) € o(n2*(a)). Consequently, by definition of P(f)(c), we have të(x) € 
P(f)(7)(72,(b)) as expected. 

Next step is to show that, for a strategy f : A — B, P(f) is a functor 
from P(A) to P(B). For that, we need to define its effects on simulations. For 
a:o — rT, P(f)(a) : P(f)\(o) — P(f)(7) is simply defined by applying a to all 
positions of P(f)(c), as all those are induced from positions of ø by definition. 
With this, it is easy to verify that P(f) preserves identities and composition of 
simulations. 

Finally, let us show that P is a pseudofunctor. 

First, P(Id4)o associates to a position a of A the set: 


PUda)(o) : a => Il o(a). 


(c,a,a) € Ida 


ot 


which is instantly isomorphic to o(a). Factoring the effect on simulations, i 
is easy to build a bijective natural natural transformation between P(Id,) 
Id a). Thus P(Id,4) S Ida). 


II 
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Next, let f : A — Band g : B — C two deterministic strategies and ø a 
P-strategy of A. We have: 


P(g\P(f)(o) : e > JI I| æa 
(e2, b, c) Eg (e1,a,b) € f 


This is easily isomorphic to P(g o f)o which is given by: 


Pgo fo) : 6 + I ow. 


(e,a,c) €gof 


This isomorphism is a consequence of the definition of composition for deter- 
ministic strategies, as there is only one triple e;,e2,b such that (e1,a,b) € f, 
(eg, b,c) E€ g and e = e1 - e2 for a position (e,a,c) E€ go f. 

This extends into a natural isomorphism between the functors P(go f) and 
P(g)(P(f), giving us the fact that P is indeed a pseudofunctor. 


G Proof of Proposition 6 


Proof. — Let f : A — B,g: C — D be two slender strategies. Let (t2,b,d)be 
a player position of B ® D. Since f and g are slender, there exist unique 
€f,@,€g,¢ such that (ef,a,b) € f,(eg,c,d) E€ g. Using te,er,e, and Propo- 
sition 10, we reconstruct e, tı such that (e, (t1, a,c), (t2,b,d)) is a position of 
fg. This position is unique as the reconstruction of Proposition 10 is unique, 
and thus f & g is a slender strategy. 


— Let f : A — B,g: C — D be two functional strategies. Let (t1,a,c) be an 
opponent position of A ® C. Since f and g are functional strategies, there 
exist unique b,d such that (cpy,a,b) € f, (cpg,c, d) E€ g. The study of f @g 
done in the proof of Proposition 10 gives us that any valid position of f & g 
would have a copycat schedule (as the schedule is built from sequences 1.0*.1 
of cpf and cpg. This implies immediately that the only possible position is 
cp, (t1, a, c), (1, b, d) as no other play would verify the needed structures, and 
thus f ® g is a functional strategy. 


H Proof of Theorem 3 


Proof. First, we can note that the unit 1 of G has a unique P-strategy, the empty 
strategy. Consequently, P(1) is the singleton category, which is the unit of the 
cartesian product in Cat. 

Moreover, to extend P as a lax monoidal pseudofunctor, we need a transfor- 
mation j14,p : P(A) x P(B) — P(A & B) natural in A and B. 

Since the morphisms of that transformation live in Cat, they are functors. 
We thus define: 
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for o an object of P(A) and 7 an object of P(B), 
HABOT) =0 8T 


for a : ø > o’ a morphism of P(A) and 8 : T > 7’ a morphism of P(B), 
1A,B(a, b) : o 9T > o & 7T is defined by: 


HA,B(Q, B)(t, T, y) = (t, a(z), B(y)) 


We now need to prove that this transformation is natural in A and B, and that 
it verifies the two commutative diagrams of a lax monoidal functor (associativity 
and unitality), up to bijective simulations. Those last two are easy to verify and 
use similar arguments, so we will focus on the naturality. 

We need our transformation to verify the following commutative diagram 
for A,B, A’, B’ four games and f : A — A’,g : B — B’ two deterministic 
strategies: 


P(A) x P(B) ———> 9(A@ B) 
noso] ryo] 
P(A’) x P(B') ———— P(A’ 8 B’) 


Let o be a P-strategy of A and 7 a P-strategy of B. Verifying the 
commutative diagram amounts to finding two reciprocal morphisms between: 


P(f)(o) 8 P(g)(r) and P(f @ g)(o 87). 


P(f)(c) 9 P(g)(T) = image(f o supp) ® image(go supp) 
P(f)(c) @ P(g)(7T) S image(f o supp, ® go supp,) by consequences of prop 6 


P(f ® g)(o @ 7) = image((f @ 9) o supper) 
P(f @ g)(o 97T) S image((f ® g)o supp, ® supp) by consequences of prop 6 


jan) 


By bifunctoriality of ®, we have fo supp, & go supp, = (f@g)o supp, ® 
supp ,, giving us the equality of the images we need, up to bijective simulations. 


I Proof of Proposition 9 


Proof. — Let (a,b = by,...bn) a P position of !B. Since f is slender, for all b; 
player positions of b, there exists a unique pair (e;, a;i) such that (e;, ai, bi) € f. 


We use a method similar to the one used in the proof of Proposition 10. 
Instead of using the tensorial schedule to guide us in reconstructing the play 
of !A —!B, we use Y, which indicates us what is the next player move b; to 
get to (starting from b;_2, and assuming we have reconstructed e and ¢ so 
far), and then use the play (ei, ai, bi) to construct the play. 
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The sequence of moves we add is the suffix of the play (ei, ai, bi) looking 
like b;—14a}....a¥b; (with a} = a;) as any other move in the play (e;, a;, bi) has 
already been played (since in particular any b move prior to b;_; has been 
played. 

Player cannot backtrack in the middle of the sequence bi—1a1....0} b; without 
breaking the fact that the full play is associated to a O-heap in !(A — B). 

This allows us to extend e into e.1.0*.1 and ¢ by linking a} to its predecessor 
in A of the play (e;, a;, bi). 

This method constructs a valid position of !f as all branches are played 
following f and ¢ is a O-Heap. It is the only possible position including ~,b 
as everything we have done was determined by %, f and b. Thus ! f is a slender 
strategy. 

— Let (¢,@ = ay,...a4,) an O position of !A. Since f is a functional strategy, for 
all a; opponent positions of G@, there exists a unique b; such that (c, ai, bi) € f. 
By determinism of f, it is also true for all player positions of @. By using ¢ as 
a guide, this easily allows us to construct the position of ! f: (c, (¢,@), (¢,b = 
bi, ..-bn)). 

It is the unique such position for (¢,@) for reasons similar to the ones 
evoked in the proof for slender strategies. Thus !f is a functional strategy. 


J Proof of Theorem 4 
Proof. — For a game A, we have by construction: 


(!p) 4a,B(Idy) = P(na,B) o #5 (Ida) 
(!p) a,p(Id4) = P(na, B)(#Ida) = Idi, 


— Let A,B,C be three games and ø a P-strategy of A — B, 7 a P-strategy 
of B — C. We need to prove that there is a natural isomorphic simulation 
between !p(T 0c) and !p(T) © !—p(o). 


First we will simplify those two strategies through the various properties we 
have seen so far: 
First !p(T o ø): 


lp (T oo) = P(n a,c )(#" (7 o ø)) 
lp(T oo) & image(n.4,c © supp #5(roo)) by equation 4 
lp (T o0) % image(nA,C © !'SUPP rog) by consequence of def 13 
lp(T oo) & image(na,cœ © !supp P(compA B c)e@r)) by definition 9 
!p(7 0a) & image(n.4,c © !supp image(comp 4 p cosp g@r)) by equation 4 
!p(T oø) & image(n 4c © supp image((comp 4 pB cosu g@r))?) by consequence of def 13 


!p (7 0a) & image(n.4,¢ 0 (compa, B,C © SUPP g@_)) by theorem 1 
!p(T oa) & image(n.4 Cc 0 !compA, B,C © supp #5(c@r)) by functoriality of ! and consequence of def 13 
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Then, !p(T)o !p(o): 


lp(t) © !9(¢) = Ping c)(#°T) o P(na, B)(#*e) 
!p(7) o!p(c) & image(n B,C O supp #s(r)) © image(nA,B © SUPP 4s(g)) by equation 4 
lp (T) o lp (o) & P(comp 4,1B,1c)(image(n.4,B © SUPP 4s(¢)) 8 image(nB,c O supp ys(,))) by definition 9 
lp (T) o lp (o) & P(comp 4,1B,1c)(image(n.4,B © SUPP 4s(¢)®@ B,C OSUPP ws(7))) by consequence of prop 6 
lp (T) o !p (a) = image(compr 4,1B,1C © (SUPP image(n 4 po supp #(0)® B,C O SUPP s) by equation 4 
lp (T) o !p (o) & image(comp! 4,1B,1C © (M4,B © SUPP #s(o) ® NB,C © SUPP #s(7))) by theorem 1 
lp (T) o lp (o) & image(comp! A, !B,!C ONA,B Q NB,C © SUPP #s(0) 8 SUPP #s(7)) by bifunctoriality of ®@ 


lp (T) o !p (0o) S image(comp! A! B,!C onA,B 8 Nn B,C O!SUPP (o) Q!SUPP (7)) by consequence of def 13 


We intend to prove that those two images are isomorphic. For that, we will 
make the following remark: 

! is lax monoidal in 9, meaning that there exists a transformation 4A,B 
!A@!B —!(A & B) natural in A and B. Thus we have the following diagram 
with the top square commuting by naturality of u: 


I({o | A — B} @{r|B C}) ioe eae '{o|A— B}8HrT| B — C} 


'(supp , ® supp ,) ‘supp , ®!supp _ 


(A — B 8 B — C) 4 ae 1(A — B)@!(B — C) 


!compa,B,c NA,B® NB,c 
(A —= C) !A —!BQ!B —!C 
NA,C COMP! A!B,!C 
IA —o!IC 


In more details, positions of 14,8 are of the form: (e, (t, ¢, a, Y, b), (D, t’, a, b)), 
where, for a position (9, t’, a, b) of !(A@ B), one can rebuild the unique associ- 
ated position by playing the moves in order and building the tensorial schedule 
and the O-heaps incrementally, the general structure ensuring that we do get 


them in the end. Consequently 444,p is slender and induces a transduction 
from B to A. 
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Note that it is not bijective as the play of !(A & B) where we play in B, then 
backtrack to play in A would produce the same play in !A®!B than playing 
in B then in A without backtracking. 

Thus, we have, since 1444 | AcB},{r| Bcc} 1s slender: 


image(n4,c © !compa,s,c © SUPP 4s (gqr)) = image(na,c o !compa,p,c © 


SUPP 48 (cG@r) O H{o | A—B},{7 | B-0C}) 


Then, by naturality, 


image(n4,c © !compa,p.c © SUPP 48(gq@7)) = image(n4,c © !compa,p.c © 


HA—B,B—C © supp #500457) 


Consequently, 


image(na,c © !compa.B.c © SUPP {o97)) = 


image(comp! A,B,C © NA,B ® NB,co!supp (o) 8!SUpp (7)) 
if and only if 


image(na,c © !compa,B,c © HA—~B,B—C © SUPP iog!7) = 
image(comp! A,B,C © NA,B ® Np,co!Supp (o) 8!SUPP (,)) 


meaning if and only if 


image(n4.c o !compA,B,CO HA—B,B—C) Š 


image(comp: 4 1B C ONA,B Q Np) 


An important remark is that uA—~B,B—c transfers plays p of (!'(A — 
B)@!(B — C)) such that there exists (e, (¢, @), (Y, €))p € image(comp!4,1B,1C ° 
nap ® ngoc) to plays p' of (A — B® B — C) such that there exists 
(e, (¢,@), (Y, T))p € image(n4,c o !compa,z,c). 


In other words u, when restricted to plays that play a role in the images we 
outlined, acts as a function from the set of plays of (!(A — B)@!(B — C)) to 
the set of plays of !(A — B ® B — C). This can be proved by looking at the 
respective structures of the plays and induces one half of the isomorphism we 
need. 


We do a similar study by introducing a P-strategy of !(A — B 8&8 B — C) — 
(1(A — B)@!(B — C)) that acts as a converse of j14-.B,B-oc for such plays 
and thus get a converse to our morphism, which will give us the second half 
of the isomorphism we need. Here is how we proceed: 

Let (t, (¢,e, a,b), (Y, f,6,c)) be a play of (!(A — B)@!(B — C)) such that 
there exists 


(e1a—ic, (14, 0), ($1056) o cat, Fic E image(compra1B,\cONA,B® NB,c). 
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In particular, that implies that, since n4,— ® npc doesn’t change the order 
of moves, the sequence of moves of (t, (¢,e, a,b), (p, f,b,c)) must be able to 
be the left projection of compi4B,1:c. This restricts the way the moves can be 
played. 


In particular, B moves from the two components must must answer each other 
right away, giving sequences without backtrack of the form c(b,.bj.b).b;) * ©, 
with similar structures for sequences starting and/or finishing with a A move. 
In addition, there cannot be any backtrack in A or any of the two B component 
that would not be initiated by a backtrack in a C component. 


The idea is that a backtrack in C induces a backtrack in B which is mirrored on 
the left component and induces a backtrack in A. Those backtracks give us a 
heap structure and the moves inside a sequence follow a proper tensor schedule, 
so it can be seen as a play of !(A — B® B — C) and it is easy to verify that 
this play would produce an element of image(n.4,c° !compA,B,CO WA—-B,B-oC) 
and that the P-strategy of (A — B & B — C) — (!(A — B)@!(B — C)) 
built by reorganizing structure without changing order of moves is a converse 
to A.B, B-0C- 


Consequently, we have the bijection of images we needed and thus an isomor- 
phic simulation between !p(7 oc) and !p(T)o !p(c). It is natural since u and 
the isomorphisms involved in the manipulation of images are natural. 

The few additional diagrams that must be checked are easy to verify with 
similar methods, and thus we have that !p is a pseudofunctor. 


K Proof that ! Is a Pseudocomonad 


In 


the following section, we’ll detail the construction of the pseudonatural trans- 


formations 6 and € and prove their naturality. From those definitions, verifying 
that ! is a pseudocomonad is easy as the morphism part of the two natural trans- 
formations coincides with their definition in the deterministic case, making the 
diagrams commute instantly. After that, we may do a similar study on d,e to 
give ! the necessary structure to be a linear exponential modality. 


We will handle here the case of 6, for a P-strategy o : A — B. This is, by 


Definiton 26, a bijective 2-morphism between !p!pooĝ4 and 6g0 !po, both being 
P-strategies of !A —!!B. 


First note that 


lplpa o ĝa = image(compiaA,!B © SUPP},,1,¢ © SUPP 5, ) 


and that 


ôB o lpo = image(comp!A,!B,!!B o SUPP5,, @ SUPP ipo): 


We want to study the structure of both images to find an isomorphic simu- 


lation between them. 
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Rips D Riz Rsa D Rigipo 
SUPP ipo ® SUPP 5, SUPP 5, ® SUPP tg tye 
1A —o!B@!B —!!B 1A oN! A@!I!A —!!B 


COMP! AB NB COMP\ANANB 


IA —!!B 
What we will do is start from a position 


e, ($a, a), (WB, bp, b) 


of !A —!!B and go back along the arrows to see what structure the positions 
that produce this position must have. 

First, on the left branch, the presence of comp),)p.1B indicates that the 
position in !A —!BQ!B —o!!B must be of the form 


t, (e1, ($4,0), (Op, 0), (e2, (#B, 0), (WB, $B, b))) 


for some t, €1,€2,®p,0/ such that c1 - e2 = e. 
Since the right component of this position comes from 6g, we actually have 


b = b, Bp = op, e2 = c and thus e; = e and we actually have the position 


t, (e, (ġa, a), ($B,b), (c, (dB, 0), (YB, ¢B,b))) 


for some t which is fixed by the two components for the composition to work. 
And thus, this gives us the following position of Ripo ® Rsp: 


(t, ((¢a, e, T), T), (c, (B,D), (we, bp, ))) 


where 7 is a sequence of moves that gets projected to the sequence of moves of 
(e, (64,4), (dp, b)). There is no modification of the order the moves are played 
in this step, just a reorganization of the structure. 

Thus a position of R550 tpo is of the form 


(€,($4,@); (VB, $B, b)) a ((64,¢,n),2),(e(65.).(5 65 B)))* 


We apply a similar reasoning to the right branch to obtain the form of a 
position of Ri,1,c05,! 


(e, (04,4), (YB, 9B, b)) (w (c, ($4.0), lexe ,$1:0)), (erpe eT), (ba,e,1), T7) 
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where t’ is fixed by the composition and the sequence of moves x’ gets projected 
to the same sequence of moves than Z in the left branch. In particular, both 
sequences have the same length. 

Since everything is fixed from the initial position (e,(¢,4,@), (WB, op, 6)) but 
the two sequences Z and x’, we can then build 6, as the simulation sending 
one position to the other one sharing that same initial structure and the same 
sequence 7T. 

With a simlar study, we build €e, as the simulation that sends positions of 
the form 

(e, (7, a), Di Ceeravalie) 
to positions of the form 


(e, (7,@), b)i (,2),(e,(1,5),b))* 


where t,t are fixed by construction and Z is the branch of positions finishing in 
x in Ro. 


Proof. We will now prove the pseudonaturality of €, ô is handled in a similar way. 
Let us look at the naturality first. Let A, B be two games, ø, T two P-strategies 
of A — B and a : ø —> 7 a simulation We require that the two following pasting 
diagrams are equivalent: 


log 
1A 2 IB 
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This amounts to the following equality of simulations: 
(ea <a) 37! =e! - (!pap eg) 


where <,> indicate the whiskering that results from the composition of P- 
strategies and - indicates the vertical composition which is simply the com- 
position of functions. Thus, for a position 


(e, (m,a), b)i (n2), (c,(n5),b) 
of ep o !pa, we have: 


(ea <a): es? (Ce, (mT), De (r T), (elr, b),b)) = (CA <0) (Ce, (7, T), b)e,(6,(n,a),a),2) by def of eo 


(ea 4a) - e3" (Ce, (2), ber C,T), (0,(,5),6)) = (Cr (1:8), b)t,(0,(,),a),a(e) bY def of P, ea 


On the other hand, 


e $ (lpa > €B) ((e, (1, @), b)i (.@),(c,(.b),b)) 


= e7" ((e, (7,2); by m arayy,(e(nB),b)) by def of P,en,!9 


e7": (Ipap ep) ((e, (7,8), b)i (n3), le, (r 5),b)) 


= (e, (T, 0), Dito Gra) hate) by def of Er 


And thus, we have the equivalence we require. The other diagram equalitiies 
we need to verify are done in a similar way. 

The key point to remember from this proof and the similar ones that need to 
be done, is that, while the form of the positions is a bit heavy, the structures that 
underly them do most of the work for us, making most of the needed verifications 
very easy, once the positions have been properly described. 

We apply those methods to verify that ! is indeed a pseudocomonad, to define 
and verify that d4,e4 are proper pseudonatural transformations and to check 
that !, along with those transformations, does have the structure of a linear 
exponential modality. 
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Abstract. When presenting a denotational semantics of a language with 
recursion, it is necessary to show that the semantics is computationally 
adequate, i.e. that every divergent term denotes the “bottom” element 
of a domain. 

We explain how to view such a theorem as a purely syntactic result. 
Any theory (congruence) that includes basic laws and is closed under an 
infinitary rule that we call “rational continuity” has the property that 
every divergent term is equated with the divergent constant. Therefore, 
to prove a model adequate, it suffices to show that it validates the basic 
laws and the rational continuity rule. While this approach was inspired by 
the categorical, ordered framework of Abramsky et al., neither category 
theory nor order is needed. 

The purpose of the paper is to present this syntactic result for call-by- 
push-value extended with term-level recursion and polymorphic types. 
Our account begins with PCF, then includes sum types, then moves to 
call-by-push-value, and finally includes polymorphic types. 


1 Introduction 


Models of Recursion. A conventional denotational account of a language with 
recursion proceeds as follows. First define the syntax and operational semantics. 
Then give a denotational model. Lastly, prove soundness, i.e. if t evaluates to u 
(written t4 u) then [t] = [u], and adequacy, i.e. if t diverges (written t 1t) then 
(t] = L. 

Because it is often convenient to structure a model categorically, Fiore and 
Plotkin (1994) gave categorical axioms on a model that imply (soundness and) 
adequacy. Crucially, in their work, as detailed by Fiore (1996), a model is required 
to be “wCpo-enriched”, meaning that a term denotes an element of a pointed 
w-cpo (poset with least element L and suprema of all increasing w-chains), and 
a term constructor is w-continuous (preserves suprema of w-chains). Thus (for 
a call-by-name language) a term x: AF t: A gives a continuous endofunction 
f, and the recursion reca.M denotes the supremum of (f"L)nen, the least 
(pre)fixpoint of f. 


P. B. Levy—Research Supported by UK EPSRC Grant EP/N023757/1. 


© The Author(s) 2018 
C. Baier and U. Dal Lago (Eds.): FOSSACS 2018, LNCS 10803, pp. 71-87, 2018. 
https: //doi.org/10.1007/978-3-319-89366-2_4 


72 M. Devesas Campos and P. B. Levy 


However, for the models of Abramsky et al. (2000), Abramsky and McCusker 
(1997), and McCusker (1998), the requirement of wCpo-enrichment is too 
restrictive, because the posets arising do not have suprema of all increasing 
w-chains (Normann 2006). So these papers use a more relaxed ordered framework 
where the only suprema that must be preserved are those of chains (f"L)nen of 
iterated applications. This means that any so called rational chain (go f” L)nen 
has an upper bound given by g (|_| f”_L)—a property known as rational continu- 
ity (Wright et al. 1976; cf. also Bloom and Esik 1993). 


Recursion but Rationally. Our goal is to give an even more relaxed version of this 
“rational” framework for adequacy; one that uses no category theory, order or 
denotational model. It could be viewed as a purely syntactic result: a property 
of a theory (congruence) ~ rather than of a model. Thus we want t |} u to imply 
tx u, and t ff toimply t ~ 2, where 2 is a divergent constant. The benefit of such 
aresult is to modularize the narrative described at the start; we can get adequacy 
out of the way before we start studying categorical and denotational semantics. 


Rational Continuity. Currently we have accomplished this goal for term-level 
recursion and polymorphic types. (Recursive and existential types are left to 
future work; see Sect.6). Our result is that any theory (congruence) ~ will 
be sound and adequate provided it (a) contains the (-laws, fixpoint law and 
strictness laws and (b) is closed under an infinitary rule called rational continuity. 
This rule says (for a call-by-name language) that if Clrec” x.t] ~ Direc” x.t] 
for infinitely many n € N, then Clrecx.t] ~ D[rec z. t]. Here we write rec” x.t 
for the nth approximant to recursion, defined by the clauses rec? x .t := Q and 
rect! g.t := tree” x. t/z]. 


Plan. To include both call-by-value (CBV) and call-by-name (CBN), we have 
established our result for call-by-push-value. The latter has both value types 
and computation types, but the treatment of value types in our proof is more 
complicated, so we begin in the CBN setting, which has only computation types. 
Our CBN account itself begins with PCF, which has only base types and func- 
tion types; we then include sum types, using a proof method adapted from 
McCusker (1998). Next we move to call-by-push-value, and use ultimate pattern 
matching of values (Lassen and Levy 2008) to treat the value types. Finally we 
include polymorphic types. 


Related Work. Adequacy of topos models has been studied using an internal lan- 
guage (Simpson 2004). Other adequacy results for polymorphic models include 
realizability semantics (Mggelberg 2009) and game semantics (Laird 2013). 


2 PCF 


Language. We begin by introducing a version of Plotkin’s PCF (1997) that 
replaces fixpoint combinators with recursion operators and an explicit divergence 
construct 92 (Table 1). As per usual, terms are taken up to a-equivalence. The set 
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Table 1. PCF 
Types T,U = Bool | Nat | T > U 
Typing 
(zT €T) Frt:Boo Fru:T reqa: T 
Tra:T T F tt: Bool IT- ff : Bool T F- iftthenuelseq: T 
Ett: Nat Ft: Nat Tet: Nat 
IT F zero : Nat It succt: Nat I+ predt: Nat I’ iszerot : Bool 
ert rt: U TeEt:TOU Ftu:T nT PET 
TrArt:TOU IrFtu:U PRT Trreca.t:T 
Reduction 
tyt uv tH qẸ}v 
ud) tt HLH ift then uelseq |v iftthen uelseq Į v 
tiv t Į} succv t JĮ zero tl) succ v 
zero |} zero succ t |} succ v predt 1) v iszerot | tt iszerot |) ff 
th (Axt) t'[u/z] 4v tlrecax .t/a] iu 
Ax.t |} Ax.t tulv recz.tļ v 


of closed terms of type T will be denoted by CTerms” and that of normal forms 
by NF”. For a closed term t there is at most one v such that t {} v; when there 
is none we say it diverges and represent this by t f. 


2.1 A Rationally Continuous Theory of PCF 


The Theory. A congruence on terms is a type-indexed equivalence relation on 
closed terms of said type satisfying t ~ t = > Cft] ~ C[t’] for any context 
C|—] where the hole is closed. (We omit type annotations.) A congruence is a 
rationally continuous B-N2-fix theory if it also satisfies the rules in Table 2. 

The basis for the theory are the obvious 8 rules that mimic the reduction 
rules. In a similar vein, the fixpoint rule establishes that each recursive term 
is the fixpoint of a substitution. These rules alone are enough to establish the 
soundness of the theory with respect to reduction. 


Proposition 1 (Soundness). Any congruence ~ satisfying the B and fixpoint 
rules (Table 2) is sound: t4r => txr. 


A Converse. Our sights now turn to proving that divergent terms are identical to 
NQ. The extra requirement calls for a more refined theory that can more closely 
mirror the behaviour of reduction. The last two sets of equations in Table 2 
fill the gaps in what the reduction rules don’t say about divergence. The first 
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Table 2. Rationally continuous G-2-fix theory of PCF 


Basis An equivalence relation ~ on closed terms satisfying compatibility: 


for any (closed) C[-],t »u = > C[t] ~ Clu] 
B Rules 
if t then uelseg ~ u if ff then uelseq ~ q iszero zero 7 tt 
iszerosucc”™! zero ~ ff predsucc”™! zero ~ succ” zero (Ax.t)u & tlu/z] 
Fizpoint Rule recz.t a t|recz.t/x] 
Divergence Rules 
Que if 2 then uelseq ~ 2 iszero 2 = (2 
succ) = 22 pred QQ = N pred zero = 92 


Rational Continuity forx:Trt:T 


4~°n.Clrec” x .t] ~ Direc” x.t] 


Clrecz.t] ~ Direcz.t] 


where rec? g.t = Q and rec"! g.t = t[rec” x. t/a]. 


relates to the strictness of the operators: divergence of an argument leads to the 
divergence of the operator, e.g., Qu ~ N. The second is the rational continuity 
rule presented in the introduction. 


Rational Continuity and Chains. To prove adequacy, one often has to re-write 
or equate certain terms built with recursion either with some constant or as 
the unrolling of the recursive term a few times. In cpo models, continuity and 
compositionality of the interpretations validate the following rule 


Yn € N.[C[rec” x. t]] = [D[rec” x. t]] 
[C[rec x. t]] = [D|rec x. ¢]] 


But this can be further weakened by requiring only equality at infinitely many 
n, for then one would still be able to define chains with exactly the same least 
upper bounds. We write 4° n.P(n) to mean there exist infinitely many n in N 
for which P(n) holds. This leads us to the syntactic continuity rule in Table 2. 
Since adequacy refers solely to closed terms, we only require this property for 
x: T F t: T—and therefore rec” x.t and recz.t are closed. Similarly, by 
a rational chain we mean a chain of the form C[rec”«.t] for infinitely many 
n € N, and by its limit we mean the term C/rec z. t]. 
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2.2 Adequacy 


The Claim. We now embark on the syntactic journey towards a proof we have 
an adequate theory—formally, that t f = t = N. By the aforementioned 
reasons the proof follows the usual approaches by replacing closure under bot- 
tom elements and least upper bounds of the relevant chains with closure under 
divergence and limits of rational chains. 


Approximations. First we define abstractly! the notion of an approximation can- 
didate between terms and the values they approximate; these are then extended 
to relations on terms. The concrete relations we use for each type are given by 
certain actions on approximation candidates (cf., e.g., Pitts 2000). When using 


the result of an action ¢ on approximation candidates <j,...,<,, infix, we will 
sometimes surround the result with brackets, as in t (6(<),...,<n)) u, to aid 
readability. 


Definition 1 (Approximation Candidates). An approximation candidate < 
for a type T is a subset of CTerms? x NFs" s.t.: 


1. x Extension: tx t and t <v => tav 
2. Rational Admissibility: forx:THÄ-t:T 


(A°%n.Clrec” x.t] dv) => C|recz.t] <v 


Proposition 2. If< is an approximation candidate for type T, then the binary 
relation on CTerms* defined by 


tlu 4> tx R or (Av.ul-v andt<v) 
satisfies the following properties: 


1. Q Property: N < u , for any u € CTerms? 

2. = Ertension: tx t and t €u => tu 

3. |) Extension: t < u and (Yv.u Lv => uv) = teu 
4. Rational Admissibility: for x: TF t:T 


(A%n.Clrec” x . t] < u) => Clreca.t] <° u 


Proof. To give a taste of how the proofs go using rational admissibility, assume 
we have IVn.C|rec" x.t] < u. From the definition, one of two options (possibly 
both) is true: that an infinite number of terms on the left are identical to Q; or 
that for an infinite series of m, Clrec™ x .t] is related to the value v that u reduces 
to (determinism of reduction is paramount here). Admissibility then follows by 
rational continuity in the first case (using the obvious constant context), and by 
admissibility of < (Definition 1) in the second. 


1 Anticipating our treatment of polymorphism in Sect. 4, we have purposefully set up 
here a proof structure in the style of Girard (1989). 
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Proposition 3 (Base Type Actions). The two binary relations <goot C 
CTerms®°" x NFs®°" and ayat C CTerms®™ x NFsN% defined by 


tdpoorv 4 txv and tinav = trv 
are approximation candidates for Bool and Nat. 


Proposition 4 (Arrow Action). Given approximation candidates <r for T 
and <y for U, the binary relation between CTerms’~” and NFs?~¥U 


t (dp > <u) Ata 4 Vode q . tp <% ulg/z]) 
is an approximation candidate for T — U. 


Definition 2 (Approximation Relation). The approximation relation <r is 
the type-indexed family of approximation candidates defined by induction on 
types, where base types are covered by their respective actions (Proposition 3), 
and <p_.u= <r —> <y (Proposition 4). 


Definition 3 (Environments). Given a typing context I, an environment o 
for I is a substitution that maps each x : T € I to a closed term of type 
Fo(x):T. Ifo, and oz are two such, we write o1 < og to mean o1(2) <6 oo(x) 
foralla:TeTl. 


Proposition 5. For any 0 t:T and environments oj <$ 02, toi] <4 to]. 
Corollary 1 (Adequacy). For every closed F t: T, tt = t= 2. 


Proof. Applying Proposition5 tot t: T (for the empty substitution), we conclude 
that t <5. t; the definition of (—)° (Proposition 2) asserts, then, that either t ~ Q 
or (tv and t <p v); whereby if t tf, it can only be that t x Q. 


3 PCF with Sums 


The Extension. Sums provide a slight complication—but one which shows the 
adaptability of the method. The extension to call-by-name sums is presented in 
Table 3. With the new reduction rules come new ĝ rules and divergence rules 
in the theory (Table 4). As before, reduction is deterministic and the theory is 
sound. 


3.1 Adequacy 


Action. The action for sums must reflect the structure of its parameters. That 
is for <r we expect t dr+y inl u exactly when (modulo the theory) t decomposes 
into some inl t’ for which t’ <r u. The assertion of that existence, though, causes 
us a small hiccup? in proving that — <4r+u v is rationally admissible: If we have 


? A hiccup that will be much amplified in the proof of admissibility for 474 (Sect. 4). 
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Table 3. Extension of PCF with binary sums 


Types T,U=...|T4+U 


Typing 
rt:T PRts: & 
Frinlt:7T+U tinrt:T+U 
THTT x:T, F u:U y:T Tra: 
T į matchtas {inl z.u , inr y.q}: U 


Reduction 
tẸpinlt uft’/z] 4v 
inlt |) inlt inrt |} inrt match tas {inlz.u, inr y.q} 4v 
tJinrt qt /xz] 4v 
match tas {inl z.u, inr y.q} uv 


Table 4. Extension of the theory in Table 2 with binary sums 


B Rules 


match inltas {inlz.u, inr y.q} ~ u[t/z] match inrtas {inlz.u, inr y.q} ~ g[t/z] 


Divergence Rules match (as {inlz.u, inr y.q} + R 


a series of C[rec” x .t] 4r+uy inlu, then we know that each of the terms on the 
left must be identical to some inlt, with tn <p u—but do the tn form a rational 
chain? It turns out that for every t, simply from the existence of t ~ inlt’, 
and because each type is inhabited by 2, there is a context that can extract 
directly the t’ (up to equivalence, obviously) from the original term. (An idea 
we borrowed from McCusker 1998) 


Lemma 1. The contezts 
T'{-] = match — as {inl z.z , inr y.2} 
T"|-] = match — as {inl z. , inr y.y} 
satisfy t ~inlu => T'[t] ~ u andtxinru => T(t] ~ u. 


Proposition 6 (Sum Action). Given approximation candidates <r for T and 
<u for U, the relation between CTerms’t” and NFs™*” defined by 


t (arp + <v) inlu => (at <$ ut ~ inl’) 
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t (<r + <u) inry = > (St «ut © inrt’) 
is an approximation candidate for A+ B. 


Proof. For rational admissibility, the pre-condition must hold for (at least) one 
of the two clauses in the definition. Say we have 1° n.Clrec” x.t] (<r + <u) 
inlu with each term on the left equivalent to some inlt,; rewriting tn ~ 
T'[C[rec” x.t]] (Lemma 1) it follows that (Proposition 2) 


Clrec” x .t] ~ inl T'[C[rec” x. t]] and T'[C[rec” x . t]] <$ u 


An application of rational continuity of the theory, and one of rational admis- 
sibility of 3% (again, Proposition 2) yields Clrecx.t]  inlT'[C[rec x. t]] and 
also T'[Clrec x .t]] <5 u so that Clrecx.t] (ar + <v) inlu. (Likewise for the 
right injection.) 


Adequacy. The rest of the proof of adequacy follows exactly as before. Approxi- 
mation candidates for sums are derived by induction using the sum action; and 
with them we can extend Proposition 5. 


4 Call-by-Push-Value 


Values vs. Computations. We now turn to Call-by-push-value (Levy 2004). This 
language (Table 5) distinguishes between values and computations, with value 
types represented by A, A’, etc., and computation types by B, B’, etc. The set of 
closed values of type A will be represented by Vals“; that of closed computations 
by Comps. Variables always have value type. Here we include value products 
and sums, products of computation types B n B’, types FA for computations 
aiming to return a value, and functions which in CBPV are computations taking 
values to computations. Central to CBPV, we also include value types UB of 
suspended computations of type B—which can be of one of two forms. 


Recursion. In addition to the usual thunks of computations, we also have recur- 
sively defined thunks threc x.t. An alternative would be to use recursive com- 
putations I’ H° rec x.t : B. Although the two are equivalent via the definitions 
rec x.t := force threc z.t and threc z.t := thunk rec z.t, there are two reasons 
for preferring threc: One is that, in some denotational models (e.g. state or 
continuation passing), threc has a simpler denotation than rec. The other is 
that a treatment based on threc would be more easily adapted to call-by-value, 
where recursion and lambda are combined. 


Evaluation. Evaluation (Table 6) pertains only to computations. To those on the 
co-domain side of the evaluation relation J}, we call the terminal computations 
or, alternatively, the normal forms; and their (typed-indexed) set is represented 
by NFs2. Since we have two forms of thunked computations, the action of forc- 
ing one such into execution much act accordingly; this unthunking (a derived 
operation on the syntax) returns the computations suspended inside thunks, 
or plucks out the computation from a threcz.t suitably instantiated by the 
recursive thunk itself—i. e. t[threc z .t/z]. Note that reduction is deterministic. 
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Table 5. Call-by-push with recursion-value—syntax 
Types 
A,A’,...=1|AxA'|O|A+A'|UB B,B',...=FA\|A>B|1,7|BuB’ 
Typing 
(c:AET) Hv: A «:A,Crot:B THv:A 
Tr’ a:A Tr H° letvubex.t:B T H° return v: FA 
Ttu:FA «:A,Prot:B Trt:B rH v:UB 
rH utoz.t:B 


T H” thunkt: UB T H° forcev: B 
r:UB, TH t: B 


T = threcz.t: UB THES OQ:B 
TH? v: A Deo: A’ Prev: Ax Al 
TH (v, v): Ax A’ 
PR'v:1 Fet:B 


Pee? ys 

2: A,y: A’, t:B 
I’ H match vas (x, y).t:B 
L” 920 

I H° matchvas {}: B r AA{y}: 1a 


T H° matchvas ().t: B 
ret:B rrt:B 


ret: Bas’ ret: BnB 

PR Aa tls BaB fe ae eee Pier eB 
giA,P tB rH” v:A Ft: ASB TH v:A 
TR Azt: ASB Rtv: B 


T H” inlv: A+ A’ 
TEAT HĀ tB y:A,TrU:B 
T H° match vas {inl z.t, inry.t'}: B 


rH v: A TH v: A+A 
TH” inrv: A+ A’ 


Table 6. Call-by-push-value with recursion—reduction 


return v Į return v Ax.t 4 Ax.t ALYA} 


t[u/z] br tir 
letubex.tlr 


Mek PUA A ey 

tlv/x,v'/yl tr 

match (v,v’) as (x,y) .t er 
t[v/y] tr 

match inr vas {inl z.t,inr y.t’} 4r 


tHaf{iu"gh udr tyrAfiura} alr 


match () as ().t{r 
tlv/a] 4r 


match inlvas {inl z.t, inr y.t’} 4r 


thir Eyr 
u returnu tẸw/z] 4r t} Azu uļv/r] ir unthunk v Ir 
utoz.tlr tu lyr 


forcev |) r 


where unthunk(thunkt) = t and unthunk(threc x .t) = t[threc x. t/z], 
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4.1 Theory 


Theory. By a (CBPV) congruence on closed terms we mean a type-indexed 
equivalence relation ~% on closed values and computations such that for all closed 
terms t ~ ¢’ and (value or computation) context C[—] we have C[t] ~ C{t’], 
respectively. A congruence is a rationally continuous $-Q-fix theory when it 
satisfies the rules in Table 7. Rational chains are now those built by the 
application of a context C[—] to the (thunked) approximants threc” of recur- 
sive thunks and which are defined by the clauses three’ x.t = thunk Q and 
threc"*! x.t = thunk ¢[threc” x .t/z]; continuity is defined accordingly. Any 
congruence including the 8 and fixpoint rules is easily seen to be sound. We shall 
show that with the remaining rules it is also adequate. 


Table 7. Call-by-push-value with recursion—rationally continuous ($-{2-fix theory 


Basis An equivalence relation ~ on closed terms satisfying compatibility: 


for any C[-], t~ u => Clt] ~ Clu] for any C|-], v x w = Clr] ~ Clu] 


B Rules 


let vbex.t ~ t[v/z] match () as ().txt 
match (v, v’) as (x,y) .t © t[v/x,v'/y] 
match inlvas {inl x.t, inr y.t'} ~ t[v/a] 


match inr vas {inl z.t,inr y.t'} ~ t'[v/y] 


(à Parany xt atara St return vto x.t x t[v/z] 


force thunkt ~ t (Ax.t)v & t[v/zx] 
Fizpoint Rule threc z .t ~ thunk ¢[threc z. t/z] 
Divergence Rules Ntor.taN (Q'S N (QT SN WRN 


Rational Continuity for x: UB H° t: B and C|-], D|—] computation contezts 


4°n.C|threc” z .t] ~ D[threc” z. t] 
C|threc z. t] ~ D[threcz. t] 


where threc® z .t = thunk 2 and threc”™! «.t = thunk t|threc” z. t/z]. 


4.2 Adequacy 


Values: Empty Shells. In the proof of adequacy for PCF with sums we were 
required to introduce the tests so that we could, metaphorically, peek inside the 
injections and transform the rational chains there into equivalent ones with the 
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properties we needed (cf. proof of Proposition 6). Here the problem expands to 
all value types. When checking rational admissibility, we need to decompose a 
value into its ultimate pattern and its constituent thunks (Lassen and Levy 2008, 
following ideas from Abramsky and McCusker 1997; also discernible in the work 
of Zeilberger 2008) and use those to find equivalent chains that can be used to 
establish adequacy. 


Definition 4 (Ultimate Patterns). The set of of ultimate patterns UP“ for 
a value type A is given by induction on the following rules: —uB € UPB, 
() € UP! and 
pe UPA p'e UP“ pe UPA pe UP“ 
(p,p') € UPAX* inlp e UP4+4  inrpe UPA“ 


For a given ultimate pattern p € UPA the finite sequence of hole-types in pattern 
p is given by induction by 
H(—-vg) = (UB) A(()) =e H((p,p')) = H(p) + A(p’) 
H(inlp) = H(p) H(inrp) = H(p) 
Proposition 7 (Value Decomposition). Given +” v : A, there is a unique 


p € UPA and a unique sequence (F? vi : A(p)i)icjH(p)|—the filling—for which 
v = pQ (vi)i<|H(p)|; using the reassembly function 


(-us)@W)=v ~~ () @e=() 


inl p@ (vi)i<|H(p)] = inl(p @ (vi)icjH(p))) 
inr p @ (v;)i<jH(p)| = inr(p @ (v4) i<| H(p))) 
(pp) @ (Coiro + iro) = (P8 (icare) W @ Wicie) 


Tests. Ultimate patterns let us define the tests that extract the computations 
embedded in a given value. Like in the PCF sum case, we can use them to define 
values that are equivalent to a given one but make use only of the latter. If the 
values are derived from some family of contexts for the holes, then we can derive 
an equivalent context from the respective ultimate pattern. 


Definition 5. For J € UP“, andi < |H(p)|, we define a context TP|-] by 
induction on p € UPA using the rules below. Note that when T =” — : A the test 
has type T H° TP|-] : Bı where UB; = H(p);. 


To “P” |-] = force — 
T™P|—-] = match — as {inla. 7? [2], inr y.2} 
7"*?[-] = match — as {inl x.Q, inr y.7,?[y]} 
Ta —| = match — as < x,y > . TP [x] 
a ae -] = match — as < x,y > . T [y] 
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Proposition 8 (Tests Decompose). Given a pattern p € UPA, a sequence 
(F wi: H(p)i)i<|H(p) and i < |H(p)|, we have TP [p @ (wi) <j H(p)\] © force wi. 


Proposition 9. For H° t: FA , and p € UP“, if t ~ return p@ (vi)iclH(p)| 
then, successively: 


1. Vi < |H(p)|.thunk(t to x. TP [x]) ~ vi 
2. p@ (Vi)iclH(p)| x p@ (thunk(t to x. TP [2]) i< Hp) 
3. t ~ return p@ (thunk(t to z. TP [x]))i<| H(p) 


Approximation Candidates. Unlike PCF where we have computations and nor- 
mal forms, CBPV has three levels of syntax: values, terminals, and computations. 
For the purposes of defining the needed approximation candidates, terminals 
(read: normal forms) and computations, behave like their PCF counterparts and 
have (now) familiar definitions of approximation candidates. Approximation can- 
didates for value types enforce that: only structurally similar values are related; 
that they are (left) closed under equivalence of their holes; and that they are 
closed under the usual chains. 


Definition 6 (Approximation Candidates). Given a value type A, an 
approximation candidate < for A is a subset of Vals“ x Vals^ such that 


1. Structural Matching: p@ (v;); < p'O (wi) => p =p 

2. Computational ~ Extension: if p@ (v;)i<|H(p)| <3 P® (wi)i<| H(p) then 
(Vi << |H(p)|.v; 7% vi) => p@ (Vi)iclH(p)| <ap@ (wi)i<|H(p)] 

3. Rational Admissibility: for x : UB F° t : B 


(IPn. V |[threc”zx.t] dw) => V[threcz.t] <w 


Given a computation type B, an approximation candidate < for B is a subset 
of Comps? x NF® such that 


1. = Extension:t ~ t and t ar = tar 
2. Rational Admissibility: for x : UB F° t : B 


IVn.C|threc” x.t] <r = > Cj|threcz.t] <r 


Proposition 10. Given a (computation) approximation candidate < on B, 
define its closure as the binary relation Comps x Comps® where 


tlu 4 taR or (Arulr andt<r) 


It satisfies the following properties: 


1. Q Property: N < u for any u € Comps® 

2. = Extension: txt and t < u = tu 

3. |) Extension: t <u’ and (Vr.u' |r = ur) = tu 
4. Rational Admissibility: for x : UB H° t: B 


(A°%n.C[threc"x .t] < u) => C|threc z .t] <° u 
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Actions. We can then define the actions on these approximation candidates 
associated with each type constructor. Mostly this is done by structure (for 
values) or by use (for computations); the exceptions are U types and F types that 
we define, respectively, by structure, and by use. Note that it is the existential 
quantification in the definition of the F action that—very much like PCF sums— 
requires the use of the tests. Using them, we can easily define, by induction, the 
approximation relation and thereby establish the adequacy of the theory. 


Proposition 11 (Thunk Action). Let < be an approximation candidate for 
B. Then the binary relation 


v (U(<)) w <=> forcev <° unthunk w 
is an approximation candidate for UB. 


Proposition 12 (F Action). Let < be an approximation candidate for A. Then 
the following is an approximation candidate for FA: 


t (F(<)) return w = > Judwt ~ return v 


Definition 7 (Enviroments). Given a typing context I, an environment o for 
I is a substitution that maps each x: A € I to a closed term of type H” o(a): A. 
If cı and og are two such, we write o1 <r oz to mean o1(x) <4 02(x) for all 
zr: AET. 


Proposition 13. For any I H° t: B (resp. IT +’ v : A), and environments 
01 <r a2 we have toy] <% t[o2] (resp. v[oi] 44 v[o2]). 


Corollary 2 (Adequacy). For any computation F° t : B, ifti then t = R. 


5 Polymorphic Call-by-Push-Value 


Adequacy, Now For All. Our final extension deals with polymorphism. In Call- 
by-push-value, polymorphic types are computation types. We may quantify over 
both value and computation types. The extension is presented in Table 8. 

We assume two disjoint countable sets of variables, X,Y,... € VVars and 
X,Y,... € CVars, for value and computation types (resp.). Types are now also 
considered up to a-equivalence. They will also be considered under context, 
O H? Band O HY A, where O is some finite subset of VVars U CVars that 
includes the free type variables of the A or B. (These type judgements have 
an obvious inductive definition). The proper extension of a type context O by 
a type variable x will be denoted by x, ©. Typing judgements also need to be 
annotated by a type context, as in O; I’ F° t : B where O includes all the free 
type variables in the types of [’ and B. The previous typing rules are extended 
in the evident way. 
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Table 8. Polymorphic Call-by-push-value with recursion 


Types A=X € VVars|... B = X €CVars|...|[[X.B|[[X.B 
Typing 
X,O;rH1t:B (X40) OH et:][]X.B OFY A 
O; r Fo AXt:][X.B O; T =° tA: BIA/X] 
X,Orrt:B (X40) O;rtt:][XB OH" B' 
0; T F° AXt: J] X.B ©; T H° tB' : BIB'/X] 
Reduction 
AX4t AXi AX.t |) AX.t 
t} AX.u ul[A/X] 4r t} AX.u u[B/X]\r 
taAlr tBir 


Table 9. Extension of the theory in Table 7 to polymorphism 


B Rules (AX.t)A ~ t[A/X] (AX.t)B ~ t|B/X] 


Divergence Rules NANN QBxN 


Reduction and Theory. Reduction—defined only for closed terms of closed 
type—is still deterministic. On the theory end of things, we equate only closed 
terms of closed type so that we need only extend the theory of Sect.4 with the 
obvious 8 and divergence rules (Table 9). Unsurprisingly, soundness still stands. 


5.1 Adequacy 


Approximation Candidates and Actions. Throughout we have worked with 
approximation candidates—and now we can reap the fruits of that work. The 
definition of approximation candidates (Definition 6) and of their extension to 
computations (Proposition 10) can stay exactly the same; as can the actions for 
non-polymorphic type constructors. The actions of polymorphic types follow. 


Proposition 14. Let Y H” B be a computation type, and ¢ a mapping that 
assigns to every closed type T and approximation candidate < € ACs" an approx- 
imation candidate or,q € ACs2I7/¥1- then 


t (JI Yo) AY.u <=> for all H? T,4 € ACs? AT (r,a) ulT/Y] 


is an approximation candidate for | | Y.B—and likewise for [[Y.B 
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Approximations. The approximation relations need to be parametrized by the 
candidates that will instantiate the type variables so that in the end we arrive at a 
candidate for a closed type. As usual, we have that it satisfies the weakening and 
substitution properties that are used in the proof of adequacy for abstractions 
and type instantiations, respectively. 


Definition 8 (Approximation Environment). An approximation environ- 
ment y for O is a map taking each x € © to a closed type y" (x) of the same 


kind as x and an adequacy candidate y° (x) € ACs? 0, 


Definition 9 (Parametrized Approximation Relations). Let © HV A 
(resp. OF B) be a (possibly open) type and y an approximation environment 
for O. The following parametrized approximation relations, defined by induction 
on types, determine an approximation candidate for Aly" |—i.e. A with each type 
variable x replaced with yT (x) (resp. Bly"]). 


<r x = 7° (X) Dex = F(X) 
Iov =< Iov axar = (ova) X (rva) 
<br vo =<0 Irv agar = (rr a) + orra) 
<-vuB T U(<-cp) Decra = FDA) 
Decin = (<1,,) <c Brp’ = (<c B) MT (cp) 
<Ire anp = (Ieva) > (op) 


y[Y=(-=)] [¥>(—,=)] 
-cryg = =|[¥. (<j Sy ere B }) <c Y.B = [x (< y6reB 3) 


Definition 10. For any O and approximation environment y for O, if cı and 
oz are environments for [yT], we write oy <Ir 72 to mean o1(x) <4, v 4 F2(2) 
for everyx: AET. 


Proposition 15. For any O; I F° t: B (resp. O, I H” uv: A), approximation 
environment y for O, and environments o1 I%.p o2 for T 


thlr (yen) thll (resp. vllo (B-va) ly" Ileal) 


6 Concluding Remarks 


We have thus seen how, for term-level recursion, the rational continuity rule 
coupled with 8, the fixpoint property of recursion, and strictness of the basic 
constructors of the language suffices to make a theory adequate. The recipe of 
the previous sections applies to both call-by-name and call-by-value languages 
and is compatible with polymorphic types. Along the way we used no category 
theory; no models were mentioned. We relied only on syntactic constructions 
and required no external machinery. 
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Two extensions are conspicuous for their absence: to existential types and to 
recursive types. In Call-by-push-value, existential types are value types. We con- 
jecture our theorem holds for them but we must find a way to quantify over 
ultimate patterns. For recursive types, even finding suitable conditions on ~% is 
challenging. We would like to adapt Pitts’ (1996) method of minimal invari- 
ant relations but we will need type constructors to be functorial over suitable 
syntactic categories. 

For term-recursion and polymorphism, however, we now know that to prove a 
model adequate we need only to show that it satisfies the basic laws and rational 
continuity. 
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Abstract. The z-calculus, viewed as a core concurrent programming 
language, has been used as the target of much research on type systems 
for concurrency. In this paper we propose a new type system for deadlock- 
free session-typed 7-calculus processes, by integrating two separate lines 
of work. The first is the propositions-as-types approach by Caires and 
Pfenning, which provides a linear logic foundation for session types and 
guarantees deadlock-freedom by forbidding cyclic process connections. 
The second is Kobayashi’s approach in which types are annotated with 
priorities so that the type system can check whether or not processes 
contain genuine cyclic dependencies between communication operations. 
We combine these two techniques for the first time, and define a new 
and more expressive variant of classical linear logic with a proof assign- 
ment that gives a session type system with Kobayashi-style priorities. 
This can be seen in three ways: (i) as a new linear logic in which cyclic 
structures can be derived and a CyYCLE-elimination theorem generalises 
Cut-elimination; (ii) as a logically-based session type system, which is 
more expressive than Caires and Pfenning’s; (iii) as a logical foundation 
for Kobayashi’s system, bringing it into the sphere of the propositions- 
as-types paradigm. 


1 Introduction 


The Curry-Howard correspondence, or propositions-as-types paradigm, provides 
a canonical logical foundation for functional programming [42]. It identifies types 
with logical propositions, programs with proofs, and computation with proof 
normalisation. It was natural to ask for a similar account of concurrent pro- 
gramming, and this question was brought into focus by the discovery of linear 
logic [24] and Girard’s explicit suggestion that it should have some connection 
with concurrent computation. Several attempts were made to relate z-calculus 
processes to the proof nets of classical linear logic [1,8], and to relate CCS-like 
processes to the *-autonomous categories that provide semantics for classical 
linear logic [2]. However, this work did not result in a convincing propositions- 
as-types framework for concurrency, and did not continue beyond the 1990s. 
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Fig. 1. Cyclic scheduler 


Meanwhile, Honda et al. [26,27,38] developed session types as a formalism for 
statically checking that messages have the correct types and sequence according 
to a communication protocol. Research on session types developed and matured 
over several years, eventually inspiring Caires and Pfenning |12] to discover a 
Curry-Howard correspondence between dual intuitionistic linear logic [7] and 
a form of m-calculus with session types [38]. Wadler [41] subsequently gave an 
alternative formulation based on classical linear logic, and related it to existing 
work on session types for functional languages [23]. The Caires-Pfenning app- 
roach has been widely accepted as a propositions-as-types theory of concurrent 
programming, as well as providing a logical foundation for session types. 

Caires and Pfenning’s type system guarantees deadlock-freedom by forbid- 
ding cyclic process structures. It provides a logical foundation for deadlock-free 
session processes, complementing previous approaches to deadlock-freedom in 
session type systems [9,15,21,22]. The logical approach to session types has 
been extended in many ways, including features such as dependent types [39], 
failures and non-determinism [11], sharing and races [6]. All this work relies on 
the acyclicity condition. However, rejecting cyclic process structures is unneces- 
sarily strict: they are a necessary, but not sufficient, condition for the existence 
of deadlocked communication operations. As we will show in Example 1 (Fig. 1), 
there are deadlock-free processes that can naturally be implemented in a cyclic 
way, but are rejected by Caires and Pfenning’s type system. 

Our contribution is to define a new logic, priority-based linear logic (PLL), 
and formulate it as a type system for priority-based CP (PCP), which is a more 
expressive class of processes than Wadler’s CP [41]. This is the first Curry- 
Howard correspondence that allows cyclic interconnected processes, while still 
ensuring deadlock-freedom. The key idea is that PLL includes conditions on 
inter-channel dependencies based on Kobayashi’s type systems [29,30,32]. Our 
work can be viewed in three ways: (i) as a new linear logic in which cyclic proof 
structures can be derived; (ii) as an extension of Caires-Pfenning type systems so 
that they accept more processes, while maintaining the strong logical foundation; 
(iii) as a logical foundation for Kobayashi-style type systems. 
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An example of a deadlock-free cyclic process is Milner’s well-known scheduler 
[35], described in the following Example 1. 


Example 1 (Cyclic Scheduler, Fig.1). A set of agents Ao,...,An—1, for n > 1, 
is scheduled to perform a certain task in cyclic order, starting with agent Ao. 
For all i € {1,...,n — 1}, agent A; sends the result of computation to a collector 
process P;, before transmitting further data to agent A(j+1) moa n: At the end 
of the round, Ao sends the final result to Po. Here we define a finite version of 
Milner’s scheduler, which executes one round of communication. 


Sched 4, ..(Va;b;).. (vegd(i41) mod n)(Ao l Ay | oes | An-1 l Po | Pi l ise l Paai) 
Ay ê aol do(xo).ao[mo].closeo 
Ai Ê d;(z;).a;[m,].c;[n;].close; i € {1,... n — 1} 
P, £ bily). Qi LE {0,...,n—1} 


Prefix co[no] denotes an output on co, and do(xo) an input on do. For now, 
let m and n denote data. Process close; closes the channels used by A;: the 
details of this closure are irrelevant here (however, they are as in processes Q 
and R in Example 2). Process Q; uses the message received from A;, in internal 
computation. The construct (vab) creates two channel endpoints a and b and 
binds them together. The system Sched is deadlock-free because A1, ..., An—1 
each wait for a message from the previous A; before sending, and Ao sends the 
initial message. 

Sched is not typable in the original type systems by Caires-Pfenning and 
Wadler. To do that, it would be necessary to break Ao into two parallel agents 

6 = Co[Mo]-close., and AY = do(zxo).ao[mo]-closea, a). This changes the design 
of the system, yielding a different one. Moreover, if the scheduler continues into 
a second round of communication, this redesign is not possible because of the 
potential dependency from the input on dp to the next output on co. However, 
Sched is typable in PCP; we will show the type assignment at the end of Sect. 2. 


There is a natural question at this point: given that the cyclic scheduler is 
deadlock-free, is it possible to encode its semantics in CP, thus eliminating the 
need for PCP? It is possible to define a centralised agent A that communicates 
with all the collectors P;, resulting in a system that is semantically equivalent to 
our Sched. However, such an encoding has a global character, and changes the 
structure of the overall system from distributed to centralised. In programming 
terms, it corresponds to changing the software design, as we pointed out in Exam- 
ple 1, and ultimately the software architecture, which is not always desirable or 
even feasible. The aim of PCP is to generalise CP so that deadlock-free processes 
can be constructed with their natural structure. We would want any encoding 
of PCP into CP to be structure-preserving, which would mean translating the 
Cycte rule (given in Fig. 2) homomorphically; this is clearly impossible. 


Contributions and Structure of the Paper. In Sect.2 we define priority- 
based linear logic (PLL), which extends classical linear logic (CLL) with priori- 
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ties attached to propositions. These priorities are based on Kobayashi’s annota- 
tions for deadlock freedom [32]. By following the propositions-as-types paradigm, 
we define a term assignment for PLL proofs, resulting in priority-based clas- 
sical processes (PCP), which extends Wadler’s CP [41] with Mix and Cycir 
rules (Fig. 2). In Sect. 3 we define an operational semantics for PCP. In Sect. 4 
we prove Cycte-elimination (Theorem 1) for PLL, analogous to the standard 
Cut-elimination theorem for CLL. Consequently, the results for PCP are sub- 
ject reduction (Theorem 2), top-level deadlock-freedom (Theorem 3), and full 
deadlock-freedom for closed processes (Theorem 4). In Sect. 5 we discuss related 
work and conclude the paper. 


2 PCP: Classical Processes with MIX and CYCLE 


Priority-based CP (PCP) follows the style of Wadler’s Classical Processes (CP) 
[41], with details inspired by Carbone et al. [14] and Caires and Pérez [11]. 


Types. We start with types, which are based on CLL propositions. Let A, B 
range over types, given in Definition 1. Let 0,« € NU {w} range over priorities, 
which are used to annotate types. Let w be a special element such that o < w for 
allo € N. Often, we will omit w. We will explain priorities later in this section. 


Definition 1 (Types). Types (A,B) are given by: 
A,B::=1°|1°|A@°B|AS°B| O° {l; : Aihier | &°{li: Aifier | LA| LA 


L° and 1° are associated with channel endpoints that are ready to be closed. 
A®° B (respectively, A’S° B) is associated with a channel endpoint that first 
outputs (respectively, inputs) a channel of type A and then proceeds as B. 
@°{l; : A;}ier is associated with a channel endpoint over which we can select a 
label from {1;};¢7, and proceed as A;. Dually, &°{l; : A;}icr is associated with 
a channel endpoint that can offer a set of labelled types. ?° A types a collection 
of clients requesting A. Dually, !° A types a server repeatedly accepting A. 

Duality on types is total and is given in Definition 2. It preserves priorities 
of types. 


Definition 2 (Duality). The duality function (-)+ on types is given by: 


(A’9° B 
(A@°B 
(&° {0s : Aihier 
(S(t Aihier 


+ Al @B (1°)+ = 1° 
+ — Alige B (1°)+ = 1° 

—— C°{l; : A; fier ?° A^ = Jo At 
= &°{1; : A; fier Io A = ee At 


CPR Seat Sia 


Processes. Let P,Q range over processes, given in Definition 3. Let x,y range 
over channel endpoints, and m, n over channel endpoints of type either L° or 1°. 
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Definition 3 (Processes). Processes (P,Q) are given by: 


P,Q :: = zļ|y].P (output) 0 (inaction) 
x(y).P (input) P|Q (composition) 
x<lj.P (selection) (vxr^y)P (sessionrestriction) 
xD {l; : Pihier (branching) <x[].0 (emptyoutput) 
ry (forwarding) x().P (emptyinput) 


Process z[y].P (respectively, z(y).P) outputs (respectively, inputs) y on channel 
endpoint x, and proceeds as P. Process x<l,;.P uses x to select 1; from a labelled 
choice process, typically being xp {l; : Pi þer, and triggers P}; labels indexed by 
the finite set I are pairwise distinct. Process x —> y^ forwards communications 
from z to y, the latter having type A. Processes also include the inaction process 
0, the parallel composition of P and Q, denoted P | Q, and the double restriction 
constructor (vx“y)P: the intention is that x and y denote dual session channel 
endpoints in P, and A is the type of x. Processes x[].0 and «().P are the empty 
output and empty input, respectively. They denote the closure of a session from 
the viewpoint of each of the two communicating participants. 

Notions of bound/free names in processes are standard; we write fn(P) to 
denote the set of free names of P. Also, we write P{%/z} to denote the (capture- 
avoiding) substitution of x for the free occurrences of z in P. Finally, we let ž, 
which is different from x, denote a sequence 21,...,%» for n > 0. 


Typing Rules. Typing contexts, ranged over by I’, A,O, are sets of typing 
assumptions x: A. We write I’, A for union, requiring the contexts to be disjoint. 
A typing judgement P+ I means “process P is well typed using context I”. 

Before presenting the typing rules, we need some auxiliary definitions. Our 
priorities are based on the annotations used by Kobayashi [32], but simplified to 
single priorities à la Padovani [37]. They obey the following laws: 


(i) An action of priority o must be prefixed only by actions of priorities strictly 
smaller than o. 
(ii) Communication requires equal priorities for the complementary actions. 


Definition 4 (Priority). The priority function pr(-) on types is given by: 


pr(A’s° B) = pr(A@° B) =0 pr( L°) = pr(1°) = o 
pr(@°{l; : Aipier) = pr(&°{l; : Aijier) =0 pr(?° A) = pr(!° A) =o 


Definition 5 (Lift). Lett € N. The lift operator {' (-) on types is given by: 


Tt(A 2° B) = (tt A) 9 (0+t) (1t B) 1t 1° = port) 
) = (f A) (ott) (t B) tt 1° = | (+t) 
Te (&°{l; : Ashier) = OTH {l : TP Ajhier 1 (2° A) = 2+ (1 A) 
Tt (894l; : Ashier) = OCT? {1 : TP Aijier TE (1° A) = 10+ (1t A) 


We assumew+t=w for allt EN. 
The operator Ìt is extended component-wise to typing contexts: Ìt I. 
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Per QHA PET eek aa 
ALn. AL. Xo rne a Mx Annon CYOLE 
ryt r: AT, y:A P|QEI,A (va*y)PEL 


PEI o<pr(L) 


1 
Ord o x[].0F z:1° z)P HarL’ Tr 
PtI,y:A,2:B o<pr(Ll) 5 PHT,y:A,xz:B o< pr(I) 
z(y) PHT, £:4A9° B xz|y].P H T, x: A 8° B 
Vi € l(P, + I,x:Ai) o< pr(L) PHEI,x:A; jel o<pr(Ll) ; 
ap {li: Pijer HT, 0: &°{li : Ai}ier zalj.PH T, £x:8°%{l : Adicr 
PH?I,y:A o< p(T) PHT,y:A o< p(T) i 
lz(y) PHI, sz: A ` ?e[y].PHT,x:? A 
PLT PHT, y:?A,z:? A olr o<k’ o<pr(L) 
PHI: 2A P4{2/y,%/z} H T, x:?° A 


Fig. 2. Typing rules for PCP. 


The typing rules are given in Fig. 2. Ax states that the forwarding process z — y^ 
is well typed if x and y have dual types, respectively A+ and A. Mix types the 
parallel composition of two processes P and Q in the union of their disjoint typing 
contexts. CYCLE is our key typing rule; it states that the restriction process is 
well typed, if the endpoints x and y have dual types, respectively A and A+. By 
Definition 2, A and A+ also have the same priorities, enforcing law (ii) above. 
In classical logic this rule would be unsound, but in PLL it allows deadlock-free 
cycles. Rule Ø states that inaction is well typed in the empty context. Rules 1 
and L type channel closure actions from the viewpoint of each participant. Rule 
9 (respectively Q) types an input process x(y).P (respectively, output process 
zly|.P), with y bound and z of type A’s° B (respectively, A @° B). The priority 
o is strictly smaller than any priorities in the continuation process P, enforcing 
law (i) above. This is captured by o < pr(J’) in the premises of both rules, 
abbreviating “for all z € dom(I’),o < pr(I(z))”. Rules & and © type external 
and internal choice, respectively, and follow the previous two rules. Rule ! types 
a server and states that if P communicates along y following protocol A, then 
la(y).P communicates along x following protocol !° A. The three remaining rules 
type different numbers of clients. Rule ? is for a single client: if P communicates 
along y following A, then ?a/y].P communicates along « following ?° A. Rule W 
is for no client: if P does not communicate along any channel following A, then 
it may be regarded as communicating along x following ?° A, for some priority 
o. Rule C is for multiple clients: if P communicates along y following ?" A, and z 
following protocol ?” A, then P{*/y,%/z} communicates along a single channel 
x following ?° A, where o < « and o < x’. The last two conditions are necessary 
to deal with some cases in the proof of Cycrr-elimination (Theorem 1). 
Lifting preserves typability, by an easy induction on typing derivations. 
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Lemma 1. Jf P/ I then PE YT. 


PHT y 
We will use this result in the form of an admissible rule: Pt 1t r 
The Design of PCP. We have included Mix and Cyce, which allow derivation 
of both the standard Cur and the Mutricut by Abramsky et al. [2]. 


HT, Ai,..., An FAA nAn 
HT, A, A1,..., An, AF,..., AF n MULTICUT 
TA CYCLE” 


Conversely, Mrx is the nullary case of Mutticut, and Cyce can be derived from 
Ax and MULTICUT: 


———— Ax 
HT,A, A+ F At,A CYCLE 
ET MULTICUT 


Having included Mix, we choose CycLe instead of MULTICUT, as CYCLE is more 
primitive. 

In the presence of Mıx and Cyc te, there is an isomorphism between A & B 
and A’? B in CLL. Both A & B — A’? B and A’? B — A Q B, are derivable, 
where C — D = C+ 9 D in CLL. Equivalently, both (At 9 B+) 9 (A’9 B) 
and (A+ @ B+) 9 (A & B) are derivable. For simplicity, let pr(A) = pr(B) = w; 
by duality also pr( A+) = pr(B+) = w. 


EALA -B.B FAA BB + A+,A - B’,B 
d > MIx it IX i Mix 
+ A+ B+, A,B + A~,B~-,A,B + A~,B~-,A,B 
ol <w Di <wW O02 < Ww 
F oi pL 8 L pL o 8 
H A+ 9° Bt A.B F- A~@7 B ,A, B FA ,B ,Ae? B 
, , L o Jl o: SN EN MIx 
02 < 01 - A~ 8 B7, A8”? B, A~, A, B7, B : 
ksd 
H At pol B+, A939” B 5 H At @Q B+, A@? B CYCLE 
H (A+ 29% B+) 9° (A89 B) H (A+ 8% Bt) 9° (A@™ B) 


The above derivations without priorities show the isomorphism between AQB 
and A9 B in CLL, which does not hold in our PLL, in particular as 0; Æ 02. 
The distinction between ® and 9, preserves the distinction between output and 
input in the term assignment. However, to simplify derivations, both typing rules 
(Fig. 2) have the same form. The usual tensor rule, where there are two separate 
derivations in the premise rather than just one, is derivable by using Mix. 

Our type system performs priority-checking. Priorities can be inferred, as 
in Kobayashi’s type system [32] and the tool TyPiCal [28]. We have opted for 
priority checking over priority inference, as the presentation is more elegant. 
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The following two examples illustrate the use of priorities. We first establish 
the structure of the typing derivation, then calculate the priorities. We conclude 
the section by showing the typing for the cyclic scheduler from Sect. 1. 


Example 2 (Cyclic process: deadlock-free). Consider the following process 
P > (veiy1)(ve2y2) [zı (v).22(w).R | yi[n}-ye{n'].Q| 


where R = 21().v().r2().w()-Oand Q = y;[].0 | n[].0 | y2[].0 | n’[].0. First, we 
show the typing derivation for the left-hand side of the parallel, x1(v).v2(w).R: 


OO K4 < K3 < k2 < Kı 


4 
Re ay: "4 vu: Ll 592 2 pws 01 < K4 
gəlw).RF gi: L*4 ,u: L" pga: L" po Lh O2 < 01 
xı(v).xa(w). RF vg: LY 9% Lh? g]: Ls poe "4 (1) 


Now, the typing derivation for the right-hand side of the parallel, y;{n].y2[n’].Q, 
and recall that k4 < K3 < Ka < Ky: 


mory: 17 ! nora ! phop 1 wien 
ATO [nO | y2[].0 |n [].0 F p: 1°, n: 1° y2: 1°, n: 1" è os < ka ~ 
y2ln'].Q F y1: 14 n: 13 y2: 1! Q 1% 04 < 03 
yi (n}-yo[n’].Q F yo: 1%! 8” 12 y1: 13 Q94 1% 


(2) 


Finally, the typing derivation for process P is as follows: 


(1) (2) 


MIx 
x1(v).t2(w).R | yı [n]-y2[n'].Q F 
z2: | KL 9°91 | K2 stis | K3 102 | Ka Y2: 1%: @°3 1*2 Yl: 1^3 @°4 1%4 
01 = 03 
CYCLE 
(vzzy2) [zı (v).x2(w).R | yı[n].y2[n0].Q] + 
Pae L*8 1992 184 yy: a 1%4 O2 = 04 
CYCLE 


(vziyı)(vzzy2) [xı (v).x2(w).R | yı[n].y2[n].Q] - 0 
The system of equations 
O2 < O1 04 < 03 O1 = 03 O2 = 04 
can be solved by the assignment 0; = 03 = 1 and o2 = 04 = 0. 


Example 8 (Cyclic process: deadlocked!). Now consider the process 


P' = (veryi)(Yeay2) [21(v).©2(w).R | ye[n’]-yr[n].Q] 
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where R = £3().v().%2().w().0 and Q = y[].0 | n[].O | y2[].0 | n’[].0. Notice 
that the order of actions on channels yı and yo is now swapped, thus causing a 
deadlock! If we tried to construct a typing derivation for process P’, we would 
have for the right-hand side of the parallel the following: 


yllo y:1" ! aJoFn:1° ! yloFy: 1 | wore 
yıl]-O | n[].0 | y2[].0 | n'[].0 F y1: 1%4, n: 1% y2: 1⁄2, n": 1% O4 < K4 
yiln].Q F n’: 1"! y2: 1 y1: 13 Q4 1% 03 < 04 
y2ln']-yi[n].Q F y1: 158 %4 14 y2: 11 Q 1% 


MIx? 


Then, the system of equations 
O2 < 01 03 < 04 01 = 03 O2 = 04 
has no solution because it requires 02 < o3 and 03 < 02, which is impossible. 


Example 1 continued (Cyclic Scheduler) 


Sched = (Vabi)... (Vcida+1) mod n) (Ao l Ay | oes | An-1 l Po l Pı l zi l Pea) 
Ao 4 Co[No]-do(Xo).ao [Mo] .closeg 
A; = di(x;).ai[m;].ci[n;].close; iE {1, e LE 1} 


By applying the typing rules in Fig. 2 we can derive Sched | 9, since it is a 
closed process, and assign the following types and priorities: 


Co: 1 @° 1 do: L 92(n—1) L ao:l @2(n—1)t1 1 for Ao 
dlg”? 1 aj:1@7-11 11271 for Ai,0<i<n 
bo: Lop2e-Ytt | by opti hy for Po and P;,0<i<n 


The priorities of types | and 1 could be easily assigned as Example 2. As the 
priority of dj,1 is 2(i + 1) — 2 = 2i, we can connect it to a; with a CYCLE. 


3 Operational Semantics of PCP 


In this section we define structural equivalence, the principal G-reduction rules 
and commuting conversions. The detailed derivations can be found in [18]. 

We define structural equivalence to be the smallest congruence relation sat- 
isfying the following axioms. SC-Ax-Swp allows swapping channels in the for- 
warding process. SC-Ax-CyYcLE states that cycle applied to a forwarding process 
is equivalent to inaction. This allows elimination of unnecessary cycles. Axioms 
SC-Mix-NiL, SC-Mrix-Comm and SC-Mix-Asc state that parallel composition 
uses the inaction as the neutral element and is commutative and associative. 
SC-CycLeE-Ext is the standard scope extrusion rule. SC-CycLE-Swp allows swap- 
ping channels and SC-CycLe-Comm states the commutativity of restriction!. 


1 Note that associativity of restriction is derived from SC-Mrx-Comm and 
SC-CyYCLE-ComMM. 
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SC-Ax-Swp soytta:At,y:A = yor" ka:At,y:A 
SC-Ax-CycLE (v^ y)r—y4bO = OO 

SC-Mrx-NIL Oo|PFr= PFI 

SC-M1x-ComM P\|QFI,A= Q|PHT,A 

SC-Mix-Asc P|(Q|RELAO = (P|Q)|REDAO 


SC-CYCLE-EXT (vary)(P|Q)ET,A P\|(vatyQEI,A «x,y ¢ tn(P) 
SC-CycLe-Swe = (va“y)PE LD = (vy* 2)PET 
SC-CycLe-Comm (va“y)(vz?w)PEI = (vz®w)(vaty)PEL 


i M 


The core of the operational semantics consists of G-reductions. In z-calculus 
terms these are communication steps; in logical terms they are CycLE-elimination 
steps. Bae is given in Fig. 3 to illustrate priorities. It simplifies a cycle connect- 
ing x of type A®° B and y of type A’g° B, which corresponds to communication 
between an output on x and an input on y, respectively. Both actions have pri- 
ority o, which is strictly smaller than any priorities in their typing contexts, 
respecting the fact that they are top-level prefixes. The remaining -reductions 
are summarised below. Baxcyciz simplifies a Cyce involving an axiom. bıl 
closes and eliminates channels. Gog, similarly to Bex», simplifies a communi- 
cation between a selection and a branching. 6? simplifies a cycle between one 
server of type !° A and one client of type ?° A. The last two rules differ in the 
number of clients involved: rule rw considers no clients, whether (ic considers 
multiple clients. 


Baxcvan (vy4z)(2@sy4 | P)ET,2:At — P{t/z}+ T, g: At 
A (w ry) (el)0 | H0). Pe — PEI 
Bog (vaP Ue Bihery) (x aly.P | y> {l : Qiher) F T, A — 
: (vx?iy)(P | Q;) FILA 

Br (va! Ay) (!a(v).P | ?y[w La) ir ?T, A — (vv4w)(P |Q) F?rna 

Bw (ve"4y)(!2(v).P|Q)F 2,4 — QF, A 

Bo (wah Ay) (l(e) P| Oa) TA — 

e@)P | wa" "Eyle" w"). P" 1 Q) E ?T, A 


o < pr(T) o < pr(A) 
PHT,v:A,£:B QF A, w:A+,y:B+ 
® Ñ I? 
z[v].P HT, x: A8° B ylw).Q F A,y:A~ 9° B xi 
IX 
z[v|.P | y(w).Q HT, A, z:A8° B,y: A+ 9° Bt 
CYCLE 


(v^ By) (a[v].P | y(w).Q) E T, A 
PHT, v:4,x:B QF A, w:At,y: BŁ 
P|QET,A,v:A,2:B,w:At,y: Bt 
-> (vu4w) (vr? y) (P | Q) FT, A 


MIx 


CYCLE? 


Fig. 3. -reduction for ® and ’9. 
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Commuting conversions, following [12,41], allow communication prefixes to 
be moved to the conclusion of a typing derivation, corresponding to pulling them 
out of the scope of Cyc te rules. In order to account for the sequence of CycLEs, 
here we use ~. Due to this movement, if a prefix on a channel endpoint x with 
priority o is pulled out at top level, then to preserve priority conditions in the 
typing rules in Fig. 2, it is necessary to increase priorities of all actions after the 
prefix on x. This increase is achieved by using 7°*1(-) in the typing contexts. 


kı (vEAg)(x().P|Q) ET, Aa: 1° — 
2().[(vE49)(P | Q)] E tet T, 19+ A, x: 1° 
Ko (vErg (x[v].P | Q) HFT, A,2:A@°B — 

z[v].[(vE49)(P | Q)] E (°t r), (19+: A), x: (1°! A) 8° (1°+! B) 

ko (víg (x(w).P [Q) FL,A,2:Ae°B — 
a(w).[(vErgy (P | Q)| L (tor D), (tot! A), a:(tott A) 19° (tor? B) 
Ke (vE4q) (x <lj.P l Q) H I; A,«:@°{l; : Bihier — 

a al;.[(vErg)(P | Q)] E (tert), (107 A), r:8°%{l; : 1°% Bihar 
ke (VEAG)(er {li : Pijer |Q) FT, A, 2: &{l; : Bijer — 
£o {l; : way) (P; | Q) jier F (T° D), (194 A), ase flee PP Bi Jier 
k? (vEAy (?a[w].P l Q) HT, A,x2:??A — 

Telu]. [WIAD (P | Q)] E (1°71 T), (tet! A), x: 7° (fet? A) 
k (vE" AG) (!e(v).P | Q) FIL, A, a: A — 
lx(v).[(vE”? 49) (P | Q)] H (19+ T), (19+ A), x: 1 (tort A) 


Finally, we give the following additional reduction rules: closure under struc- 
tural equivalence, and two congruence rules, for restriction and for parallel. 


Crose-EQguivyv P=Q Q—R R=S implies P — S 
Conc-CycLtE P — Q implies (vr4y)P — (vx4y)Q 
ConG-MI1x P — Q implies P| R— Q| R 


4 Results for PLL and PCP 


4.1 Cycrer-Elimination for PLL 


We start with results for Cycie-elimination for PLL; thus here we refer to A, B 
as propositions, rather than types. The detailed proofs can be found in [18]. 


Definition 6. The degree function O(-) on propositions is defined by: 
nts O(l°) =1 
@° B) = 0(A’9° B) = O(A) + O(B) +1 


O(A 
O(&° {1s : Aificr) = OCB {Li : Ai hier) = Vie HOA} +1 
Əl? A) = A(! A) = a(A) +1. 


Definition 7. A Maxicut is a maximal sequence of Mix and Cyce rules, end- 
ing with a CycLe rule. 
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Maximality means that the rules applied immediately before a MAxicur are any 
rules in Fig. 2, other than Mix or Cyce. The order in which Mix and Cyc te rules 
are applied within a Maxicut is irrelevant. However, Proposition 1, which follows 
directly from structural equivalence (Sect. 3), allows us to simplify a Maxicut. 


Proposition 1 (Canonical MAXICUT). Given an arbitrary Maxicut, it is 
always possible to obtain from it a canonical Maxicut consisting of a sequence 
of only Mix rules followed by a sequence of only Cyce rules. 


Definition 8. A single-Mix Maxicut contains only one Mix rule. 
Aj,...,An,A are Maxicur propositions if they are eliminated by a Maxicut. 
The degree of a sequence of Cycres is the sum of the degrees of the eliminated 
propositions. 

The degree of a Maxicut is the sum of the degrees of the Cycres in it. 

The degree of a proof r, d(), is the sup of the degrees of its Maxicuts, implying 
d(r) = 0 if and only if proof n has no Cycues. 

The height of a proof 7, h(z), is the height of its tree, and it is defined as 
h(t) = sup(h(m)) cr +1, where {n}ier are the subproofs of n. 


Maxicut has some similarities with the derived Mutricur: it generalises 
Mutticut in the number of Mrxes, and a single-Mix MAxicurT is an occurrence 
of MULTICUT. 

The core of Cycie-elimination for our PLL, as for Cut-elimination for CLL 
[10,25], is the Principal Lemma (Lemma 3), which eliminates a Cyce by either 
(i) replacing it with another Cyce on simpler propositions, or (ii) pushing it fur- 
ther up the proof tree. Item (i) corresponds to (the logical part of) 6-reductions 
(Sect.3); and (ii) corresponds to (the logical part of) commuting conversions 
(Sect. 3). 

Exceptionally, ic reduces the original proof in a way that neither (i) nor 
(ii) are respected. In order to cope with this case, we introduce Lemma 2, which 
is inspired by Lemma B.1.3 in Brauner [10], and adapted to our PLL. Lemma 2 
allows us to reduce the degree of a proof ending with a single- Mix Maxicut and 
having the same degree as the whole proof, and where the last rule applied on 
the left hand-side immediate subproof is !. Let [n] denote the set {1,...,n}. 


Lemma 2 (Inspired by B.1.3 in Brauner [10]). Let + be a proof of the 
following form, ending with a single-M1x Maxicut: 


1 


T T 
o< pr(? T) , o< pr(4) 
Vi € [n]:0 <0; Vi € [n]:o0o <0; Vj € [kK]: 0<k; 
FD, 2! Ar, Ph AmA EA AT, oo Dr Ag CY A je 
? ? ? nI 1 
FIP Ares An A FAPA peg ALPA © 
z MIx 


E PPA, 2% Ay, 20” An, I2 A, 12 AL,..., lon AL 70 AL 
Fara 


CYCLE 
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where d(m) < d(T) and d(m') < d(T). Then, there is a proof r' of = ?L,A such 
that d(T’) < d(T). 


Proof. Induction on h(x’), with a case-analysis on the last rule applied in 7’. 


Lemma 3 (The Principal Lemma). Let 7 be a proof of H T, ending with 
a canonical Maxicut: 


Ty... Mm 
MIx 
H T, Ay, ify O A A 
CT CYCLE 


such that for alli € [m], d(m;) < d(T). Then there is a proof T' of / tT, for 
some t > 0, such that d(r’) < d(T). 


Proof. The proof is by induction on }> i€[m] h(m;). Let r; be the last rule applied 
in 7;, for i € [m] and let C,, be the proposition introduced by r;. Consider the 
proposition with the smallest priority. If the proposition is not unique, just pick 


one. Let this proposition be C;,. Then, mk is the following proof: | I”, Cr, 


We proceed by cases on Tk. 


— rk is ® on one of the MaxicutT propositions A1,..., An, A. Without loss of 
generality, suppose rę is applied on A, meaning A = E @° F for some E and F 
and o > 0. By ® rule in Fig. 2, o < pr(I”). Since A is a Maxicur proposition, 
by Definition 2, At = E+ 9° F+. Since o < pr(I”) and pr(A+) = 0, it must be 
Th 


that A+ is in another proof, say mp: H I”, E499 F} 


Consider the case where rp is a multiplicative, additive, exponential or L rule 
in Fig. 2. Suppose rp is applied on C,., which is not A+. All the mentioned rules 
require pr(C,,,) < pr(I”, E+ 9° F+\ C,.,), implying pr(C;,,) < pr(E+ 9° F+) = 
pr(E @° F) = o. This contradicts the fact that o is the smallest priority. Hence, 
rp, must be a 9 introducing At. 

We construct proof 74 ending with a single-Mix Maxicut applied on at 
least A: 


TQ To 


H I'E,F o<pr(I”) H I”, E+, F} o < pri”) 


HI”, E8? F & LI”, E+ 9° Ft P 
IX 
H I'T", E 8° F, Et 9° Ft 
_ pa CYCLE 


Then, by structural equivalence, we can rewrite 7 in terms of 74. By applying 
Boz on Ta (only considering the logical part), we obtain a proof T4 such that 
d(t',) < d(ta) < d(T), because 0(£)+0(F’) < O(E 8° F). We can then construct 
T’ by substituting T4 for TA in 7, which concludes this case. 
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— rk is ! on one of the MaxicuT propositions A1,..., An, A. Without loss of 
generality, suppose rz introduces A, implying that A = !° A’ for some A’ and 
o > 0. Then 7x is the following proof: 


Tı 


+20, A’ o< pr(?0) i 
F70, PA i 


where I” = ?Q. Since A is a Maxıcur proposition, by duality At = ?° AS, 
Since o < pr(T”) and pr(At) = o, it must be that A+ is in another proof. Let it 
be mp for h € [m] and h #4 k. Then we apply Lemma 2 to mk and Th, obtaining 
a proof which we use to construct 7’, as we did in the previous case. 


Lemma 4. Given a proof tT of | I’, such that d(T) > 0, then for some t > 0 
there is a proof T' of + t'I such that d(r’) < d(T). 


Proof. By induction on h(r). We have the following cases. 


— If 7 ends in a Maxicur whose degree is the same as the degree of T: 


Ti- -Nm = 
MIx 
H T, Aj, soðin A AT, ..., A}, At 
CT Cycie”t! 


we can apply the induction hypothesis to the subproofs of 7 right before the last 
Mix preceding the sequence of Cyce. This allows us to reduce their degrees to 
become smaller than d(T). Then we use Lemma3. 

— Otherwise, by using the inductive hypothesis on the immediate subproofs to 
reduce their degree, we also reduce the degree of the whole proof. 


Theorem 1 (CYCLE-Elimination). Given any proof of | I, we can con- 
struct a CycLe-free proof of | t'I’, for some t > 0. 


Proof. Iteration on Lemma 4. 


Cyc e-elimination increases the priorities of the propositions in I’. This is solely 
due to the (logical part of) our commuting conversions in Sect. 3. 


4.2 Deadlock-Freedom for PCP 
Theorem 2 (Subject Reduction). Jf PH I and P — Q, then QF ÙT, 


for some t > 0. 


Proof. Follows from the -reductions and commuting conversions in Sect. 3. 


Definition 9. A process is a CYCLE if it is of the form (vx“y)P. 
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Theorem 3 (Top-Level Deadlock-Freedom). If PHI and P is a Cycts, 
then there is some Q such that P —>* Q and Q is not a CYCLE. 


Proof. The interpretation of Lemma 3 for PCP is that either (i) a top-level com- 
munication occurs, corresponding to a (@-reduction, or (ii) commuting conver- 
sions are used to push Cyc te further inwards in a process. Consequently, iterat- 
ing Lemma 3 results in eliminating top-level CycLes. 


Eliminating all Cycres, as specified by Theorem 1, would correspond to a seman- 
tics in which reduction occurs under prefixes, as discussed by Wadler [41]. In 
order to achieve this, we would need to introduce additional congruence rules, 


such as: 
P—@Q 


(y).P — a(y).Q 


and similarly for other actions. Reductions of this kind are not present in the 
m-calculus, and we also omit them in our framework. 

However, we can eliminate all CycLes in a proof of H Ø, corresponding to full 
deadlock-freedom for closed processes. Kobayashi’s type system [32] satisfies the 
same property. 


Theorem 4 (Deadlock-Freedom for Closed Processes). If P H Ø, then 
either P = 0 or there is Q such that P — Q. 


Proof. This follows from Theorems 2 and 3, because if Q + Ø and Q is not a 
Cyce then Q must be a parallel composition of O processes. 


5 Related Work and Conclusion 


Cyc Le and Mutricut rules were explored by Abramsky et al. [2—4] in the context 
of *-autonomous categories. That work is not directly comparable with ours, as 
it only presented a typed semantics for CCS-like processes and did not give a 
type system for a language or a term assignment for a logical system. Atkey 
et al. [5] added a Mutricut rule to CP, producing an isomorphism between & 
and 9, but they did not consider deadlock-freedom. 

In Kobayashi’s original type-theoretic approach to deadlock-freedom [29], 
priorities were abstract tags from a partially ordered set. In later work abstract 
tags were simplified to natural numbers, and priorities were replaced by pairs of 
obligations and capabilities [30,32]. The latter change allows more processes to 
be typed, at the expense of a more complex type system. Padovani [36] adapted 
Kobayashi’s approach to session types, and later on he simplified it to a single 
priority for linear z-calculus [37]. Then, the single priority technique can be 
transferred to session types by the encoding of session types into linear types 
[16,17, 19,33]. For simplicity, we have opted for single priorities, as Padovani [37]. 

The first work on progress for session types, by Dezani-Ciancaglini et al. 
[15,22], guaranteed the property by allowing only one active session at a time. 
Later work [21] introduced a partial order on channels in Kobayashi-style [29]. 
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Bettini et al. [9] applied similar ideas to multiparty session types. The main 
difference with our work is that we associate priorities with individual commu- 
nication operations, rather than with entire channels. Carbone et al. [13] proved 
that progress is a compositional form of lock-freedom and introduced a new tech- 
nique for progress in session types by adopting Kobayashi’s type system and the 
encoding of session types [19]. Vieira and Vasconcelos [40] used single priorities 
and an abstract partial order in session types to guarantee deadlock-freedom. 

The linear logic approach to deadlock-free session types started with Caires 
and Pfenning [12], based on dual intuitionistic linear logic, and was later for- 
mulated for classical linear logic by Wadler [41]. All subsequent work on linear 
logic and session types enforces deadlock-freedom by forbidding cyclic connec- 
tions. In their original work, Caires and Pfenning commented that it would be 
interesting to compare process typability in their system with other approaches 
including Kobayashi’s and Dezani-Ciancaglini’s. However, we are aware of only 
one comparative study of the expressivity of type systems for deadlock-freedom, 
by Dardha and Pérez [20]. They compared Kobayashi-style typing and CLL typ- 
ing, and proved that CLL corresponds to Kobayashi’s system with the restriction 
that only single cuts, not multicuts, are allowed. 

In this paper, we have presented a new logic, priority-based linear logic 
(PLL), and a term assignment system, priority-based CP (PCP), that increase 
the expressivity of deadlock-free session type systems, by combining Caires 
and Pfenning’s linear logic-based approach and Kobayashi’s priority-based type 
system. The novel feature of PLL and PCP is Cyce, which allows cyclic pro- 
cess structures to be formed if they do not violate ordering conditions on the 
priorities of prefixes. Following the propositions-as-types paradigm, we prove a 
Cycte-elimination theorem analogous to the standard Cut-elimination theorem. 
As a result of this theorem, we obtain deadlock-freedom for a class of 7-calculus 
processes which is larger than the class typed by Caires and Pfenning. In partic- 
ular, these are processes that typically share more than one channel in parallel. 

There are two main directions for future work. First, develop a type system 
for a functional language, priority-based GV, and translate it into PCP, along 
the lines of Lindley and Morris’ [34] translation of GV [41] into CP. Second, 
extend PCP to allow recursion and sharing [6], in order to support more gen- 
eral concurrent programming, while maintaining deadlock-freedom, as well as 
termination, or typed behavioural equivalence. 
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Abstract. Graded linear exponential comonads are an extension of lin- 
ear exponential comonads wih grading, and provide a categorical seman- 
tics of resource-sensitive exponential modality in linear logic. In this 
paper, we propose a concise double-category theoretic formulation of 
graded linear exponential comonads as a kind of monoid homomorphisms 
from the multiplicative monoids of semirings to the composition monoids 
of symmetric monoidal endofunctors. We also exploit this formulation to 
derive the category of graded comonoid-coalgebras, which decompose 
graded linear exponential comonads into symmetric monoidal adjunc- 
tions plus twists. 


1 Introduction 


One of the important discoveries in substructural logic is the decomposition of 
the intuitionistic implication ¢ = w using the linear implication — and the 
exponential modality !. This discovery was studied by Girard through his linear 
logic, which brought many new ideas and perspectives to logic and programming 
language semantics. 

Inside linear logic proofs, propositions with the exponential modality !¢ can 
be freely copied or discarded. Later, it was realized that by adding a copy limit 
to the exponential modality, like !,., linear logic gains fine control of assumption 
usage. This idea was first implemented in bounded linear logic [9], and studied in 
connection with implicit complexity theory [4,14]. Indexed exponential modal- 
ities !,, were then used in wider context: resource management in programming 
languages [3,7,8,20,23] and control of sensitivity in the metric semantics of pro- 
grams [5,21]. 

The categorical structure corresponding to the exponential modality ! was 
studied by various researchers, and it was identified as a categorical structure 
called linear exponential comonad [1]. One of the celebrated results about linear 
exponential comonads is that any symmetric lax monoidal adjunction: 


L 
(D, 1, x) I~ (C,1,®@) (the monoidal structure 1, x is cartesian) 


yields a linear exponential comonad Lo R, and every linear exponential comonad 
D arises in this way - for D take the category of Eilenberg-Moore coalgebras of D. 


© The Author(s) 2018 
C. Baier and U. Dal Lago (Eds.): FOSSACS 2018, LNCS 10803, pp. 110-127, 2018. 
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The categorical structure corresponding to the indexed exponential modality 
|, has been proposed as exponential action [3] and graded linear exponential 
comonad [7]; they are two different presentations of the same data. Compared 
to linear exponential comonads, however, categorical understanding of graded 
linear exponential comonads is not well-established. The aim of this paper is to 
contribute to this point. Concretely speaking, we show the following categorical 
results about graded linear exponential comonads: 


— We give a new concise formulation of graded linear exponential comonads 
as vertical monoid homomorphisms from multiplicative monoids of semirings 
to the composition monoids of symmetric lax monoidal endofunctors. This 
formulation is given in a rather complex multi-double category of symmetric 
monoidal categories. The slogan is “to represent a complex structure in a 
simple category as a simple structure in a complex category”. 

— In the multi-double category, vertical monoid homomorphisms themselves can 
be seen as monoids. By considering actions of such monoids, we obtain the 
concept of graded comonoid-coalgebras. They are an extension of Eilenberg- 
Moore coalgebras to graded linear exponential comonads, and the category of 
graded comonoid-coalgebras provides a resolution of graded linear exponential 
comonads by a symmetric lax monoidal adjunction plus a twist. 


2 Related Work 


Graded linear exponential comonads were first introduced as exponential actions 
in [3], and an equivalent definition was given in [7]. This paper adopts the latter 
definition as the starting point of study. These papers also consider linear type 
systems with an indexed exponential modality !,.¢, which is directly interpreted 
by a graded linear exponential comonad. This paper, however, focuses only on 
the categorical axiomatics of the indexed exponential modality, and omit its 
syntactic theory. In [2], Breuvart and Pagani gave a construction of graded lin- 
ear exponential comonads from a set of data called stratification. They derived 
various graded linear exponential comonads on the category of sets and binary 
relations and the category of coherence spaces. Structures close to, but differ- 
ent from, graded linear exponential comonads were considered in the categorical 
semantics of the following calculi: INTML for interactive computation [23], coef- 
fect calculus [20] and bounded affine types system [8]. 

Looking at the dual structure, graded monads, first considered in mathe- 
matics [6,25], were recently used in the semantic study of logic, systems and 
programming languages [13,18,19,22]. The resolution of graded monads were 
studied in [12], mildly extending a classic work by Street [26]. The major differ- 
ence between graded monads and graded linear exponential comonads is the way 
how they interact with the monoidal structure. In [13] only strengths were con- 
sidered for graded monads, while graded linear exponential comonads interact 
with monoidal structures in an intricate manner. 

The multicategory of symmetric lax monoidal multifunctors is related to 
the 2-multicategory of T-algebras for a pseudo-commutative 2-monad T [11]. 
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Hyland and Power studied multifunctors that are symmetric strong monoidal in 
each argument, while in this paper we weaken “strong” to “lax”. Yet, we think 
that by suitably extending their theory, the symmetric lax monoidal multifunc- 
tors can also be given in the language of 2-monad theory. 

Monoids in the multicategory MSMC;, in Sect.5 are similar to the dis- 
tributivity studied in [15], where Laplaza considered two symmetric non-strict 
monoidal structures together with a colaz distributivity between them. On the 
other hand, in this paper, we consider a strict monoidal structure on top of the 
underlying symmetric (non-strict) monoidal structure, and a laz distributivity 
between them. 


Preliminaries 


For symmetric monoidal categories and symmetric lax monoidal functors, see 
[16]. In a symmetric monoidal category C, by «: IQ I — I we mean the isomor- 
phism Aq = pr, and by 7T : (A® B) 8 (C 8 D) = (A8 C) 8 (B & D) we mean 
the symmetry swapping the second and third component of the tensor product. 
For functors F; : Mi Ci j + D; where 1 < i < n, we define F} x --- x Fn to 


aa e SS 


whose codomain is the product category without the nesting of products. 


3 Graded Linear Exponential Comonad 


In this paper, comonads are graded by a partially ordered semiring. It is a tuple 
(R,<,0,+,1,*) such that (R,0, +, 1, *) is a unital semiring (not necessarily com- 
mutative) and +,* are monotone in each argument w.r.t. the partial order <. 
The partially ordered monoids of additive and multiplicative parts of R are 
denoted by Rt = (R,<,0,+) and R* = (R, <, 1, *), respectively. 

Let C, D be symmetric monoidal categories. We write SMC,(D, C) for the 
category of symmetric lax monoidal functors and monoidal natural transforma- 
tions between them. The following pointwise extension of the tensor unit and 
tensor product on C extends to a symmetric monoidal structure on SMC; (D, C): 


I(D)=1, (F®G)(D)=FD®@GD. 


(We note that the symmetry in C is used to make F ® G a symmetric lax 
monoidal functor.) Below by [D,C]; we mean the symmetric monoidal category 
(SMC,(D,C),1,®) of symmetric lax monoidal functors and monoidal natural 
transformations between them. 


3.1 Graded Linear Exponential Comonad 


Fix a partially ordered semiring (R, <,0,+,1,*). We introduce the main subject 
of this study, R-graded linear exponential comonad. This concept first appeared 
in [3, Definition 13] under the name exponential action. We adopt the following 
definition [7, Sect.5.2], which is equivalent to the exponential action: 
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D(0)(A) D(O * s)(A) D(0)(A) D(s * 0)(A) 
60,s,A 55,0,A 
WA D(0)(D(s)(A)) WA D(s)(D(O)(A)) 
WD(s)(A) D(s)(wa) 
I =I] I ——> DOD 
D(r * s + r’ * SA) == D((r + 1’) * 8)(A) 
Cras,’ *s,A rtr’ sA 
D(r * s)(A) 8 Dv’ * s)(A) D(r + r’)(D(s)(A)) 
5r,s,ABOy sA Err! D(s\(A) 
D(r)(D(s)(A)) 8 DW’ )(DGs)(A)) = D)(D(s)(A)) 8 DY’ )(D(s\(A)) 
D(s * r + s * rA) = Ds * (r + 7’) MA) 
Corer! A srir’ A 
D(s * r)(A) ® D(s * r’)(A) D(s)(D(r + r’)(A)) 
Ss ABÔs r” A DCXCp y A) 


D(s)(D(r)(A)) 8 DDE NAY ——> DODA) 8 D7’ )(A)) 


s,DOXA), DO’ XA) 


Fig. 1. Four equational axioms related to distributive law 


Definition 1. An R-graded linear exponential comonad on a symmetric 
monoidal category C is a tuple (D, w,c, €, 8) where 


- D:(R,<) ~ SMC, (C, C) is a functor. Below we write my : I > D(r)(1) and 
Mr aB : D(r)(A) 8 D(r)(B) —> D(r)(A® B) for the symmetric lax monoidal 
structure of D(r). 

- (D,w,c): Rt = |[C,C]; is a symmetric colax monoidal functor. 

- (D,«€,8) : R* — (SMC, (C, C), Id, 0) is a colax monoidal functor. 


They satisfy four equational axioms in Fig. 1. Moreover, we say that D is an R- 
twist if Dr is strong monoidal for each r € R, and (D,€,ô) is a strict monoidal 
functor (hence D1 = Id and D(r x r’) = Dr o Dr’). 


When fully expanded, a graded linear exponential comonad specifies one 
functor D : (R, <) — [C,C] and 6 natural transformations: 


D(r)() >I, m, 4,B : D(r)\(48 B) > D(r)(A) ® D(r)(B) 
wa : : DO (A) >I Erria | Dir +r')(A) > D(r)(A) 8 D(r')(A) 
ea: D(1)(A) > A Orta? Dr *r')(A) > D(r)(D(r")(A)) 


satisfying more than 20 equational axioms. 
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Example 1. Let C be a cartesian closed category. We take a partially ordered 
monoid R* = (R,<,1, x) such that (R,<) is a join semilattice and x preserves 
joins in both arguments. This condition makes the tuple R = (R,<,1,V,1, x) 
a partially ordered semiring. We also take a lax monoidal functor G : R* — C. 
Then the functor D : (R, <)? — [C,C] defined by DrA = Gr => A extends 
to an R°-graded linear exponential comonad on C (here R° is the order- 
opposite of R). 


Example 2. Continuing the previous example, let R = (D,<,1,V,T,A) bea 
distributive lattice, regarded as a partially ordered semiring. We consider the 
functor category |D, Set], where D is regarded as the discrete category of the 
carrier set D. We then define G : R — [D,Set] by (Gr)r’ = 0 if r’ £ r, and 
(Gr)r’ = {x} if r' < r. This G extends to a lax monoidal functor of type G : 
R* — |D, Set]. From the construction in the previous example, DrA = Gr > A 
is a graded linear exponential comonad, which coincides with the masking functor 
given in [7, Theorem 2]. It behaves as (DrA)r’ = {x} ifr’ £ rand (DrA)r’ = Ar’ 
if r’ < r. This graded linear exponential comonad is used to model the level of 
information flow [7, Sect. 6.1]. 


Example 3. Consider the category EPMet of extended pseudometric spaces! 
and nonexpansive functions between them. It has a symmetric monoidal (closed) 
structure, whose unit is a terminal object, and whose tensor product is given by 
(X, d)@(Y,e) = (X x Y,d+e). It also has the scaling modality |,(X, d) = (X,rd), 
where r is an element of the ordered semiring of nonnegative extended reals, 
which we denote by [0,00]. The scaling modality is a [0, co|-twist with respect 
to the above symmetric monoidal structure. 


The concept of R-graded linear exponential comonad is a generalization of 
non-graded linear exponential comonad [1, Definition 3]. This was first observed 
in [3]. 


Theorem 1. A 1-graded linear exponential comonad on a symmetric monoidal 
category C is exactly a non-graded linear exponential comonad on C. 


On the other hand, 1-twists make monoidal structures cartesian: 


Theorem 2. A 1-twist D exists on a symmetric monoidal category C if and 
only if the symmetric monoidal structure of C is cartesian (i.e. I is terminal 
and ® is a binary product). 


Proof. If it exists, the functor part of D must specify the identity functor Idc 
because of the strictness. Next, (Id, w,c) becomes a commutative monoid in 
[C, Ch; especially w,c are monoidal natural transformations. From [17, Corol- 
lary 17], the monoidal structure of C is cartesian. The converse construction is 
evident. 


1 Here, extended pseudometrics mean the pseudometrics that can return +00. 
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4 A Double-Category Theoretic Reformulation of Graded 
Linear Exponential Comonad 


Although it is in a reasonably compact form, the definition of graded linear 
exponential comonad is yet technical, and it indeed specifies a quite complex 
structure. The motivation of this study is to have a conceptually clean and 
compact definition of it. 

Particularly, what is less clear in the definition is the extra four axioms 
related to the distributive law (Fig.1). In the non-graded setting (i.e. when 
R = 1), these four axioms reduces to simpler axioms, which can be viewed as 
the following conditions: 


— comultiplication 6 is a comonoid morphism, (item 4, Sect. 7.4, [17]) and 
— weakening w and contraction care coalgebra morphisms (item 3, Sect. 7.4, [17]). 


However, it is not obvious how to upgrade these axioms to the graded setting, 
because the concept of “graded coalgebra” and “graded comonoid” are not yet 
defined, at least for graded linear exponential comonads. Especially, the concept 
of graded coalgebra should be defined after the concept of graded linear expo- 
nential comonad, which we are going to define! From this circularity, the above 
view of the four axioms are not very helpful when upgrading them in the current 
situation. 

It is therefore desirable to have an alternative account on four axioms in 
Fig. 1, which relies on a notion that already exists before graded linear exponen- 
tial comonads. The key observation of this paper is that these four axioms are 
an instance of the axioms for 2-cells in the double category SMC of symmetric 
monoidal categories, introduced by Grandis and Paré [10, Sect. 2.3]. In SMC, a 
2-cell consists of the following data: 


where each e is a (possibly distinct) symmetric monoidal category, horizontal 
morphisms H, H’ are symmetric lax monoidal functors, vertical morphisms V, V’ 
are symmetric colax monoidal functors, and a: Vo H — H’ o V’ is a natural 
transformation (between underlying functors of H, H’, V, V’) making the follow- 
ing diagrams commute: 


VI—+VHI V(HX @ HY) VH(X 8Y) 
H'V'I VHX @VHY H'V'(X QY) (1) 


| | | 


I ——+ HI H'V'X 9 H'V'Y —+ H'(V'X 8 V'Y) 
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We note that when V, V’ (resp. H, H’) are identity functors, the above axioms 
are reduced to the ones for monoidal natural transformations of type V — V’ 
(resp. H — H’). 

Let us see how 2-cell axioms (1) in SMC derives the four axioms in Fig. 1. 


Proposition 1. In Definition 1, the four axioms (Fig. 1) can be replaced by the 
following statement: for each r € R, both 


bp, : D(r x —)— Dro D-, 6_,:D(—*r)— D-—oDr 
are 2-cells of the following type in SMC: 


=r 


Rt — > Rt Rt Rt 
o| bn- |» p| yas |» 
[C, Chi Die [C, Chi [C, Chi Top, IC, C]: 


5 Multicategory of Symmetric Lax Monoidal 
Multifunctors 


Proposition 1 says that by fixing one index of the doubly-indexed natural trans- 
formation ô- = : D(—*=) — D—o D=, we obtain a 2-cell in the double category 
SMC. However, 6 itself does not live in SMC. In order to create a room to 
accommodate 6 as a kind of 2-cell, we extend horizontal morphisms of SMC to 
multi-ary functors that are symmetric lax monoidal in each argument. We first 
study such multi-ary functors in this section. 

Let C; (1 < i < n) and D be symmetric monoidal categories. Intuitively, 
an n-ary functor F : Ci x --- x Cn — D is symmetric lax monoidal in each 
argument if it comes with a structure making the functor F(C1,..,—m,.-;Cn) : 
Cm — D symmetric lax monoidal for each m € {1,---,n} and C; € Ci, i € 
{1,--+ ,n}\{m}. Moreover, these symmetric lax monoidal structures commute 
with each other in a coherent manner. 

To formally define such multi-ary symmetric lax monoidal functors, we intro- 
duce a notation for sequences. For a sequence C = C},:--,C, of mathe- 
matical objects, a natural number 1 < i < n and another sequence D, by 
Cli : D| we mean the sequence obtained by replacing C; with D. For instance, 
(1,3,5)[2 : X,Y] = 1,X,Y,5. When D is empty, C[i :] stands for the sequence 
obtained by removing the i-th element of C. 

Definition 2. A symmetric lax monoidal multifunctor of type (Ci,--- , Cn) > 


consists of a functor and a family of natural transformations indexed by 1 < 
<n: 


F:Cı x- X Cn -D 
pop: I—> F(Cli:T]) (C €€ x--- x Cn) 
bop:x, y]: F(Cli: X)) 8 F(Cli : Y]) > F(Cli:X8Y]) (C € C1 X- X Cr, X,Y € C;) 


A Double Category Theoretic Analysis 117 


such that: 


1. For each C € Cy x +--+ x Cn and 1 < i < n, The tuple (F(Cii : —]), 
Polig Popi- =) is a symmetric lax monoidal functor from C; to D. We denote 
it by F(C/t). 

2. The following equalities hold for each C € Cı x --- x Cn andl <i<g<n: 


~ Souq = oeny: 

~ Foren ys:P.q) ° Poy:Pipe] 8 Sop: = i :PEQ]li] ° 

~ PoljNliP,a] ° Fotr Pij] ® foral) = FCu:Peqiy °! 
- $oxeY|b: P,Q] ° > (dh U:Plli:x,y] © or Chox) = $CYy:PeQ]li:X,Y] 9 
(Potixipa] ® oeyy:ra) °T 

We note that a symmetric lax monoidal multifunctor of type () — D is just an 


object in D, because all natural transformations vanish and only the functor of 
type 1 — D remains. 


Example 4. Let us see how the definition of a binary symmetric lax monoidal 
multifunctor M : (C,C) —> C is unfolded. It consists of a functor M : C x C —> C 
and the following natural transformations: 


do:I1>M(I,C), kyc: M(X,C)8 M(Y,C) > M(X @Y,C) 
$o :I—M(C,I), bxy: M(C,X)8 M(C,Y) > M(C,X 9Y) 


such that 


1. For each C € C, (M(—, C), 06, 61 — c) and (M(C,—), 6%, ¢@,__) are sym- 
metric lax monoidal functors of type C —> C. 
2. The following coherence axioms holds: 


1 2 1 2 1 1 2 1 2 2 

or = of; coo OL = pica Q ($c & bo), Cac! oL= cor © ($c & bc) 
2 1 1 1 2 2 

cec p,p ° (¢e.c'.p ® boop) = 9c pon ° (OCD, D ® bC Dp) OT 


We will later use the following binary symmetric lax monoidal multifunctors. 
Let R be a partially ordered semiring and C be a symmetric monoidal category. 


1. The multiplication (*) is a symmetric lax monoidal multifunctor of type 
(Rt, R?) > Rt. 

2. The evaluation functor ev : [C,C],; x C — C extends to a symmetric lax 
monoidal multifunctor of type ([C, Ch, C) — C. 

3. The functor composition (o) extends to a symmetric lax monoidal multifunc- 
tor of type ([C, Ch, [C, Ch) > [C, Ch. 


Note that (*) is symmetric strict monoidal in each argument, while (0), ev are 
symmetric strict monoidal in the first argument, and symmetric lax monoidal in 
the second argument. 
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Next, for symmetric lax monoidal multifunctors (F,@) : (Ci,--- ,Cn) > D 
and (Gi, y(i)) : (Bia,:+:,Bim;) > Ci (1 < i < n), we define their multi- 
composition. First, we define a bijection (/) : {(i, j) |1 <i<n,1 <j <m} > 
{1, e , oy ej<, mi}, and represent a number in the latter set as the pair of num- 
bers uniquely determined by (/) in the former set. Then the multicomposition 
is given by the following (H, n): 


H = F o (G1 x---x Gn) 
By a Bnylizj] = FP CCBr Bn dle: VOR, 35] aB C Bn) 


i/j _ nuu i 
MBa, „Bn)li/j:X,Y] 7 F((GBi,:-+,GBn)[t: WOR, yxy] ° O(G By, ,GBn)li:G(Bilj:X]),G(B;[j:Y])] 


Theorem 3. Symmetric monoidal categories, symmetric lax monoidal multi- 
functors, and the above multi-composition form a multicategory MSMC;. 


Proof (Proof sketch). To check that symmetric lax monoidal multifunctors are 
closed under multicomposition, the key case is when n = 2,m, = m2 = 1 and 
n=1,m, =2. 


In MSMC;, we consider monoids and monoid actions. A monoid is a tuple 
(C,U : () => C,M : (C,C) —> C) of a symmetric monoidal category C and 
symmetric lax monoidal multifunctors U, M such that 


Id=Mo(Id,U), Id=Mo(U,Id), Mo(Id,M)=Mo(M,Id). 


An action of a monoid (C, U, M) on a symmetric monoidal category D is a 
symmetric lax monoidal multifunctor A: (C, D) — D such that 


Ao(U,Id) =Id, Ao (Id, A) = Ao(M,Id). 


By unfolding the definition, a monoid (C, U, M) in MSMC;, equips C with an 
additional strict monoidal structure (U, M). The argument-wise symmetric lax 
monoidal structure on M becomes a lax distributivity (see Example 4). Thus we 
call a monoid in MSMC;, a laz distributive strict rig category. It has a smaller 
set of coherence axioms than the one given by Laplaza in [15], thanks to the 
strictness of (U, M). 


Example 5 (Continued from Example 4). (R*,1,*) and ([C, Ch, Id, 0) are both 
lax distributive strict rig categories. Both monoids acts on themselves. The latter 
monoid acts on C with the evaluation functor ev. 


6 Graded Linear Exponential Comonads as Vertical 
Monoid Homomorphisms 


We now extend the double category SMC of Grandis and Paré by replacing 
horizontal morphisms with symmetric lax monoidal multifunctors. The concept 
of 2-cells in SMC is also replaced by prisms — the reason of the name is because 
they are placed in the middle of the space surrounded by two horizontal multi- 
functors and vertical morphisms. Such a prism is defined to be a natural trans- 
formation that is a 2-cell of SMC in each argument. 
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Definition 3. Let F : (Ci,--- ,Cn) > D and G: (Ey ,E,) > F be symmet- 
ric lax monoidal multifunctors and V; : Ci > E; (1 < i< 25) and W : D — F be 
symmetric colax monoidal functors. A prism a of type (Vi,--- , Va) > W : F > 


G, which is depicted as 


(Ci, Cn) —— D 
(Vi w| Yo [v 
(E1, ’ in) G F 


is a natural transformation a: W o F > G o (Vi X --- X Va) such that for each 
C € Jl; ;Ciand1<i<n, acți:—] îs a 2-cell of the following type in the double 
category SMC: 


F(Cli:— 
C: (C[i:—]) 


n| Lacji:—] [v 


“i = 
G((V1C1; ,Vn Cn) [iz—-]) 


We note that when n = 0, a prism a: () — W : F > G is simply a morphism 
a:WF-GinF. 


Proposition 2. Let D : Rt — [C,C]; be a symmetric colax monoidal functor 
and ô be a prism of type (D,D) — D : (*) — (0), where (x) and (0) are 
symmetric lax monoidal multifunctors appeared in Example 4. Then for each 
r € R, 6, and d_,, are 2-cells of the following type in SMC: 


re —*r 


RY RY R? Re 
o| tsn- |» p| s |» 
IC, C] Dro. IC, Ch [C, C]: Spe [C,Ch 


Like double categories, composition of prisms can be done in two directions. 
Consider the following prisms (1 < i < n). 


(Bire ;Bim,) — C; (Ci ,C,) ———_ D 
ne Vam | Yri |v ie ¥)| ja [w 

o Iam e (C0) =p 
(Ui as Vim | Yô: |v (Vie vol ve r 

(Biroo Bim) — gr ~ Gi (CH Ca) —— D" 
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Then define vertical composition and horizontal multicomposition of prisms 
by the following (ordinary) natural transformations: 
b@a = (8o (Vi x- x Va)) e (Woa) 
a ® (V1, Yn) = (F o (Y1 X +++ X Yn) © (a o (G1 X =: xX Gn) 


where e on the right hand side is the vertical composition of natural transfor- 
mations. 


Proposition 3. In the above setting, 


1. B©a is a prism of type (Vi o Vi, , V} o Va) > WoW: F > F". 

2.a ® (71, n) is a prism of type (U11, Unm) > W : Fo 
(Gi, Gn) > F' o (Gi, , Gh). 

3. The interchange law holds: 


(L ® (81, ,ôn)) © (a ® (71, ,Yn)) = (8B Oa) @ (61 © 71: „Ôn © Yn): 


Definition 4. Let (C,U,M),(D,U’, M’) be monoids in MSMC;,. A vertical 
monoid homomorphism consists of a symmetric colax monoidal functor A : C —> 
D and prisms € : () > A: U 3 U' andô: (A,A) > A:M > M': 


() “+c<*_(€,C) 


| de ja 16 jas 


Ure P <y (D) 


such that the following prism equalities hold: 
ô @ (id,e)=id, dO @(e,id)=id, 6 @(id,d) = ô ® (ô, id). 


The above prism equalities amounts to the following equality of natural trans- 
formations: 
M'(AX,€)06x,y =id_M'(e, AX) o ôv,x = id 
M"(AX, by,z) o Ox,M(¥,Z) = M'(ôx,y, AZ) © ÔM(X,Y),Z 


With this concept, we can concisely capture R-graded linear exponential 
comonads: 


Theorem 4. There is a bijective correspondence between 


1. A vertical monoid homomorphism (D,«€,6) from (Rt,1,*) to ([C, Ch, Id, o). 
2. An R-graded linear exponential comonad on C. 


Vertical monoid homomorphisms vertically compose. Therefore we can 
extend a graded linear exponential comonad (as a vertical monoid homomor- 
phism) by stacking vertical monoid homomorphisms. 
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Proposition 4. Let R,S be partially ordered semirings. Then a vertical monoid 
homomorphism from (R*,1r,*r) to (S*,1s,*s) bijectively corresponds to a 
monotone function h : (R,<p) > (S,<s) such that ho pri) < Vig h(ri) and 
A(T rri) < [1g h(i) (which we call colax homomorphism). 


Proposition 5. Let Fẹ U : C — D be a symmetric lax monoidal adjunction. 
Then the functor VETU defined by VETU H = F o H o U is a vertical monoid 
homomorphism from ([C, C], Id, 0) to ([D, D];, Id, o). 


Proof. Let F 4 U : C — D be a symmetric lax monoidal adjunction. From 
Kelly’s doctrinal adjunction, F is symmetric strong monoidal, hence so is F' o — 
in the following diagram: 


Fo— —oU 
VEW = [C, C} —> [C, D] —> [D,D], 
Next, —o U above is always symmetric strict monoidal. By composing them, 
we obtain that V" is symmetric strong, hence colax monoidal. We next intro- 


duce prisms (<€, ô) of the following type: 


O 5> [C, Ch + ((C, Ch, [C, Ch) 


| Je jee yó Jaee 


0 Sa> P. Dh —— (D, Dh, [D, DI.) 


We define € to be the counit of the adjunction F 4 U, which is monoidal natural, 
and ô be the following natural transformation: 


On, Hp = V" “(Hy ono He): VP" (Hy o Ha) > VP H; o VYW H, 


It is routine to check that this satisfies the axioms of prism. 


Theorem 5. Let R be a partially ordered semiring and D be an R-graded linear 
exponential comonad on a symmetric monoidal category C. We moreover let S 
be another partially ordered semiring, h: S — R be a colax homomorphism and 
FAU:C—D be a symmetric lax monoidal adjunction. Then the following 
composite of vertical monoid homomorphisms is an S-graded linear exponential 
comonad on D. 


FAU 


(S*,1s,*5) > (Rt, 1z,*r) —— ([C, Chi, Idc, 0) > (D, Dj), Idp, 0) 


We call the above composite the extension of D with F 4 U and h. 


7 From Monoid Actions to Graded Comonoid-Coalgebras 


Let (D,¢,6) : (Rt,1,*) — ({C,C]i,Id,o) be an R-graded linear exponen- 
tial comonad as a vertical monoid homomorphism. The prism equations in 
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Definition 4 suggests that the vertical monoid homomorphism itself can be seen 
as a monoid. We can thus consider monoid actions of (D,¢,6): it consists of a 
prism 


(R+, R+) R+ 


a| Ya A 


(IC, Ch, C) ——,-> € 


such that the following prism equations hold: 
a @® (6,id) =a@(id,a), a@® (e,id) = id. 


We note that this makes sense because (*) and ev are also monoid actions in 
MSMC,; see Example 5. By unfolding this definition, we obtain the following 
structure, which we name graded comonoid-coalgebra. 


Definition 5. Let R be a partially ordered semiring. An R-graded comonoid- 
coalgebra of an R-graded linear exponential comonad (D,w,c,€,6) on a sym- 
metric monoidal category C is a tuple (A,a,u,0) such that 


- (A,u,0): R* > C is a symmetric colax monoidal functor. 
- ar r! : A(r xr’) = D(r)(A(r’)) is a natural transformation. 


They satisfy the following six equational axioms: 


Alr x sxt) —“'s D(r)(A(s«t)) AC * t) => DO(A) 


cron | [Deven ~~ |o 
)) D ( 


[ain pow 
I I —; D(r)(D) 
Als xr + txr) = A((s +t) ¥r) 
A(s*r)@ A(t*r) D(s+t)(A(r)) 


conn | fers 


D(s)(A(r)) 8 D(t)(A(r)) = D(s)(A(r)) @ DO(A(r)) 
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Alr x s +r» t) = Alr « (s + t)) 
A(r « s) A(r * t) D(r)(A(s + t)) 
votes [Penton 


D(r)(A(s)) @ D(r)(AW) D(r)(A(s) @ A(é)) 


—> 
Mr, A(s), A(t) 


A morphism from an R-graded comonoid-coalgebra (A,a,u,0) to another 
(B,b,v,p) is a monoidal natural transformation h : (A,u,o) > (B,v,p) such 
that h satisfies: 


— 
Drhs 
We write C(C, D) for the category of R-graded comonoid-coalgebras of D. 


Proposition 6. Let R be a partially ordered semiring and (D,w,c,¢,6) be an 
R-graded linear exponential comonad on a symmetric monoidal category C. The 
following gives a symmetric monoidal structure on C(C, D): 

I = (I, (Ar,s . mr), idy, (Ar, s . 471)) 

(A, a, u, 0) Q (B,b, v, p) 

=(A@B, Arr! . Mr Art, Br! O (Apr! Q brr), LO(UB), Arye! . 70 (Orri @ Pprt)) 

(f @9)r = fr @ gr 

(AA)r =AAr, (PA)r = PAr, (QA,B,C)r = Ar, Br,Cr, (CA,B)r = CAr,Br 


When R = 1, The category C(C, D) reduces to the category of Eilenberg- 
Moore coalgebras of the non-graded linear exponential comonad. 


Theorem 6. Let (D,w,c,¢,6) be a 1-graded linear exponential comonad on a 
symmetric monoidal category C. Then the category C(C, D) is strong monoidally 
isomorphic to the category CP of Eilenberg-Moore coalgebras of the comonad 


(D, «€, 6). 


Like C?, there is a symmetric lax monoidal adjunction of the following type: 


F 
C(C, D) I C 
U 


but this itself is not enough to recover D — D takes two arguments, while the 
composite F'oU is only equal to the symmetric lax monoidal comonad D1 on C. 
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The category C(C, D) actually carries an R-twist T, which acts on comonoid- 
coalgebras as follows: 


Pe Ass) = (Al *r);, =), 


and D is recovered as the extension of T with the adjunction F 4 U (Theorem 5). 


Theorem 7. Let R be a partially ordered semiring and (D,w,c,¢,0) be an R- 
graded linear exponential comonad on a symmetric monoidal category C. 


1. The functor F : C(C,D) — C given by F(A,a,u,0) = Al and Fh = h; is 
symmetric strict monoidal, and has a symmetric lax monoidal right adjoint U : 
C — C(C, D), whose object part is given by UA = (Ar. DrA, Ar, T’ . bpp A, WA, 
AT, T’ . Cpr! A): 

2. The following data give an R-twist T on C(C, D): 


TrA= (às . A(sxr), AGS . as s'ar, U, AG . Opensiter) (Trh)e = hixr 
(mrt = idy, (map) = id A(ter)@B(ter)s (w3): =u, (Fa ah = Otxr txs. 


Here, A = (A,a,u,0) and B are R-graded comonoid coalgebras. From the 
definition of twists, e”, 6T are identities. 

3. The extension of D with F 4 U (Theorem 5) coincides with the R-graded 
linear exponential comonad D. 


The following classic result [1, Theorem 6-1] can be reproved by Theorem 7. 


Corollary 1. Let C be a symmetric monoidal category and Let D be a non- 
graded linear exponential comonad on C. The canonical symmetric monoidal 
structure on the category CP of Eilenberg-Moore coalgebras of D is cartesian. 


Proof. From Theorem1, D is a 1-graded linear exponential comonad on C. 
Therefore C(C,D) has a 1-twist by Theorem 7-3. Therefore the symmetric 
monoidal structure of C(C,D) is cartesian by Theorem 2. Finally, C(C, D) 
is strong monoidally isomorphic to C? by Theorem6, hence the symmetric 
monoidal structure of CP is also cartesian. 


We show the finality of the category of graded comonoid-coalgebras. Let R be 
a partially ordered semiring and D be an R-graded linear exponential comonad 
on asymmetric monoidal category C. We define a resolution of D to be a pair of 
a symmetric lax monoidal adjunction J 4 K : E — C and an R-twist (S, w5, c5) 
on E such that the extension of S with J 4 K is equal to D. Then the following 


set of data becomes a strong monoidal functor (M,m™, m¥ p) : E> C(C, D): 


ME = (Ar . J(Sr)E, Xr, r. ICSi g, (m7)~+ owh, Ar, r. C T o Jee u p) 
J 


(MF) = J(Sr)f, (M) =J(mi)om”, (mp pi) =I (MÀ p pi) 0 Mnp, sre’ 


(recall that Sr, J are both symmetric strong monoidal). 
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Theorem 8. The above M is the unique symmetric strong monoidal functor 
such that: 


1. Equality of symmetric lax monoidal functors M o K =U and FoM = J 
hold. 

2. Let M* =—oM and M, = Mo — be induced symmetric strict (resp. strong) 
monoidal functors. Then the following square of symmetric colax monoidal 
functors commutes. 


R* a [ i, Jf) 


[C (C, D), C(C, D)i ae [ 2, C(C, D) |i 


8 Conclusion 


We have given a concise characterization of graded linear exponential comonad 
as a vertical monoid homomorphism (D,«¢,6) from (R*,1,*) to ([C, Ch, Id, o). 
This characterization is built upon a combination of the theory of symmetric lax 
monoidal multifunctors and Grandis and Paré’s double category of symmetric 
monoidal categories. After this characterization, we considered monoid actions, 
and derived the concept of graded comonoid-coalgebras. The category of graded 
comonoid-coalgebras are shown to give a resolution of the graded linear expo- 
nential comonad D. These results are consistent with the theory of non-graded 
linear exponential comonads developed in [1]. 

It remains to be seen if the category of graded comonoid-coalgebras can 
be constructed in a purely double-category theoretic way. In non-graded case, 
there are other type of categorical models of exponential modality using Lafont 
category and Seely category [17]. Graded version of these categories are also an 
interesting research topic. 
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Abstract. This work proposes a dependent type theory that combines 
functions and session-typed processes (with value dependencies) through 
a contextual monad, internalising typed processes in a dependently-typed 
A-calculus. The proposed framework, by allowing session processes to 
depend on functions and vice-versa, enables us to specify and statically 
verify protocols where the choice of the next communication action can 
depend on specific values of received data. Moreover, the type theo- 
retic nature of the framework endows us with the ability to internally 
describe and prove predicates on process behaviours. Our main results 
are type soundness of the framework, and a faithful embedding of the 
functional layer of the calculus within the session-typed layer, showcasing 
the expressiveness of dependent session types. 


1 Introduction 


Session types [14,24] are a typing discipline for communication protocols, whose 
simplicity provides an extensible framework that allows for integration with a 
variety of functional type features. One useful instance arising from the proof the- 
oretic exploration of logical quantification is value dependent session types [25]. 
In this work, one can express properties of exchanged data in protocol speci- 
fications separately from communication, but cannot describe protocols where 
communication actions depend on the actual exchanged data (e.g. [16, Sect. 2]). 
Moreover, it does not allow functions or values to depend on protocols (i.e. ses- 
sions) or communication, thus preventing reasoning about dependent process 
behaviours, exploring the proofs-as-programs paradigm of dependent type the- 
ory, e.g. [8,17]. 

Our work addresses the limitations of existing formulations of session types 
by proposing a type theory that integrates dependent functions and session 
types using a contextual monad. This monad internalises a session-typed calculus 
within a dependently-typed A-calculus. By allowing session types to depend on 
A-terms and »-terms to depend on typed processes (using the monad), we are 
able to achieve heightened degrees of expressiveness. Exploiting the former direc- 
tion, we enable writing actual data-dependent communication protocols. Exploit- 
ing the latter, we can define and prove properties of linearly-typed objects (i.e. 
processes) within our intuitionistic theory. 
© The Author(s) 2018 
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To informally demonstrate how our type theory goes beyond the state of the 
art in order to represent data-dependent protocols, consider the following session 
type (we write TA A for dx:7.A where x does not occur in A and similarly r D A 
for Vx:7.A when z is not free in A), T + Bool > O{t : Nat A 1,f : Bool A 1}, 
representable in existing session typing systems. The type T denotes a protocol 
which first, inputs a boolean and then either emits the label t, which will be 
followed by an output of a natural number; or emits the label f and a boolean. 
The intended protocol described by T is to take the t branch if the received value 
is t and the f branch otherwise, which we can implement as Q with channel z 
typed by T as follows: 


Q £ z(x).case x of (true > z.t; z(23).0, false > z.f; z(true).0) 


where z(x).P denotes an input process, z.t is a process which selects label t 
and z(23).P is an output on z. However, since the specification is imprecise, 
process z(a).case x of (false > z.t; z(23).0, true > z.f; z(true).0) is also a type- 
correct implementation of T that does not adhere to the intended protocol. Using 
our dependent type system, we can narrow the specification to guarantee that 
the desired protocol is precisely enforced. Consider the following definition of a 
session-type level conditional where we assume inductive definition and depen- 
dent pattern matching mechanisms (stype denotes the kind of session types): 


if :: Bool — stype — stype — stype 
if tueAB = A if fale AB = B 


The type-level function above case analyses the boolean and produces its 
first session type argument if the value is true and the second otherwise. We may 
now specify a session type that faithfully implements the protocol: 


T' £ Vx:Bool.if x (Nat A 1) (Bool A 1) 
A process R implementing such a type on channel z is given below: 
R £ 2(a).case x of (true > z(23).0, false > z(true).0) 


Note that if we flip the two branches of the case analysis in R, the session is no 
longer typable with T’, ensuring that the protocol is implemented faithfully. 

The example above illustrates a simple yet useful data-dependent protocol. 
When we further extend our dependent types with a process monad [29], where 
{c — P — Tj; di} is a functional term denoting a process that may be spawned 
by other processes by instantiating the names in uj and di, we can provide more 
powerful reasoning on processes, enabling refined specifications through the use 
of type indices (i.e. type families) and an ability to internally specify and verify 
predicates on process behaviours. We also show that all functional types and 
terms can be faithfully embedded in the process layer using the dependently- 
typed sessions and process monads. 


Contributions. Section 2 introduces our dependent type theory, augmenting 
the example above by showing how we can reason about process behaviour using 
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Kinds K, K' ::= type | stype | ITa:7.K | Ht:K.K' 
Functional 7,0 == IHa:t.0 | \a:7.0 |T M | {uj:Bj;di:Ai F c:A} | At: Kit | ro 
Sessions A,B :=!A| A— B| AQB |Vzr:T.A | 3x:T.A |1 

| &{li : Ai} | B{l; : Ai} | Axz:T.A| AM | At: K.A| AB 
Terms M,N ::= Az:T.M | {c + P e m;id} | MN |z 
Processes P,Q = ¢(d).P | (vc)P | c(x).P | c(M).P |'e(x).P 

| ccase{l;i > Pi} | cl; P | [cod |0 | c} M + m; di; Q 


Fig. 1. Syntax of kinds, types, terms and processes 


type families and dependently-typed functions (Sect. 2.3). We then establish the 
soundness of the theory (Sect. 2.4). Section 3 develops a faithful embedding 
of the dependent function space in the process layer (Theorem 3.4). Section 4 
concludes with related work. Proofs, omitted definitions and additional examples 
can be found in [32]. 


2 A Dependent Type Theory of Processes 


This section introduces our dependent type theory combining session-typed pro- 
cesses and functions. The theory is a generalisation of the line of work relat- 
ing linear logic and session types [4,25,29], considering type-level functions and 
dependent kinds in an intensional type theory with full mutual dependencies 
between functions and processes. This generalisation enables us to express more 
sophisticated session types (such as those of Sect. 1) and also to define and 
prove properties of processes expressed as type families with proofs as their 
inhabitants. We focus on the new rules and judgements, pointing the interested 
reader to [5,25,26] for additional details on the base theory. 


2.1 Syntax 


The calculus is stratified into two mutually dependent layers of processes and 
terms, which we often refer to as the process and functional layers, respectively. 
The syntax of the theory is given in Fig. 1 (we use x, y for variables ranging over 
terms and t for variables ranging over types). 


Types and Kinds. The process layer is able to refer to terms of the functional 
layer via appropriate (dependently-typed) communication actions and through 
a spawn construct, allowing for processes encapsulated as functional values to 
be executed. Dually, the functional layer can refer to the process layer via a con- 
textual monad [29] that internalises (open) typed processes as opaque functional 
values. This mutual dependency is also explicit in the type structure on several 
axes: process channel usages are typed by a language of session types, which spec- 
ifies the communication protocols implemented on the used channels, extended 
with two dependent communication operations Yx:T.A and dax:7.A, where 7 is a 
functional type and A is a session type in which x may occur. Moreover, we also 
extend the language of session types with type-level A-abstraction over terms 
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Ax:T.A and session types At:: K.A (with the corresponding elimination forms 
AM and AB). As we show in Sect. 1, the combination of these features allows 
for a new degree of expressiveness, enabling us to construct session types whose 
structure depends on previously communicated values. 

The remaining session constructs are standard, following [5]: !A denotes a 
shared session of type A that may be used an arbitrary (finite) number of times; 
A — B represents a session offering to input a session of type A to then offer 
the session behaviour B; A ® B is the dual operator, denoting a session that 
outputs A and proceeds as B; @{l;: A;} and &{l; : A;} represent internal and 
external labelled choice, respectively; 1 denotes the terminated session. 

The functional layer is a A-calculus with dependent functions ITx:7.0, type- 
level \-abstractions over terms and types (and respective type-level applica- 
tions) and a contextual monadic type {u;:B,;d;:A; F c:A}, denoting a (quoted) 
process offering session c:A by using the linear sessions d;:A; and shared ses- 
sions uj:B; [29]. We often write {A} for {-;- F cA}. The kinding system for 
our theory contains two base kinds type and stype of functional and session 
types, respectively. Type-level \-abstractions require dependent kinds [Ta:7.K 
and IIt:: K.K', respectively. We note that the functional connectives form a 
standard dependent type theory [11,21]. 


Terms and Processes. Terms include the standard A-abstractions Ax:7.M, 
applications M N and variables x. In order to internalise processes within the 
functional layer we make use of a monadic process wrapper, written {c — P — 
Tj; di}. In such a construct, the channels c, uj and d; are bound in P, where c is 
the session channel being offered and uz and d; are the session channels (linear 
and shared, respectively) being used. We write {c — P — e} when P does not 
use any ambient channels, which we abbreviate to {P}. 

The syntax of processes follows that of [5] extended with the monadic elim- 
ination form c — M + Tj; di; Q. Such a process construct denotes a term M 
that is to be evaluated to a monadic value of the form {c — P — Tz; di} which 
will then be executed in parallel with Q, sharing with it a session channel c and 
using the provided channels ŭu; and di. We write c — M <— e;Q when no chan- 
nels are provided for the execution of M and often abbreviate this to c — M; Q. 
The process ¢(d).P denotes the output of the fresh channel d along channel c 
with continuation P, which binds d; (vc)P denotes channel hiding, restricting 
the scope of c to P; c(a).P denotes an input along c, bound to x in P; c(M).P 
denotes the output of term M along c with continuation P; !c(#).P denotes a 
replicated input which spawns copies of P; the construct c.case{l; = P;} codi- 
fies a process that waits to receive some label J; along c, with continuation Pj; 
dually, c.l; P denotes a process that emits a label l along c and continues as P; 
[c > d] denotes a forwarder between c and d, which is operationally implemented 
as renaming; P | Q denotes parallel composition and O the null process. 


2.2 A Dependent Typing System 


We now introduce our typing system, defined by a series of mutually inductive 
judgements, given in Fig. 2. We use W to stand for a typing context for dependent 
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Wr Context W is well-formed. 

w: AF Context A is well-formed, under assumptions in WV. 

WEK K is a kind in context W. 

Werik 7 is a (functional) type of kind K in context W. 

WEA: K A is a session type of kind K in context W. 

WEM:7 M has type 7 in context WV. 

P: r; AFP: zA P offers session z:A when composed with processes 
offering sessions specified in Il’ and A in context W. 

Wt ki = Ko Kinds Kı and Kə are equal. 

WFr=o: Kk Types 7 and ø are equal of kind K. 

WFA=B: Kk Session types A and B are equal of kind K. 

VF M=N:7 Terms M and N are equal of type T. 

Wt A= A’ :: stype Contexts A and A’ are equal, under the assumptions in W. 


W;T;At P=Q::z:A_ Processes P and Q are equal with typing z:A. 
Fig. 2. Typing judgements 


A-terms (i.e. assumptions of the form «:7 or t:: K, not subject to exchange), T 
for a typing context for shared sessions of the form u:A (implicitly subject to 
weakening and contraction) and A for a linear context of sessions #:A. The 
context well-formedness judgments ¥ + and W; A F require that types and kinds 
(resp. session types) in Y (resp. A) are well-formed. The judgments ¥ + K, 
WE: K andWt A:: K codify well-formedness of kinds, functional and session 
types (with kind K), respectively. Their rules are standard. 


Typing. An excerpt of the typing rules for terms and processes is given in Figs. 3 
and 4, respectively, noting that typing enforces types to be of base kind type 
(respectively stype). The rules for dependent functions are standard, including 
the type conversion rule which internalises definitional equality of types. We 
highlight the introduction rule for the monadic construct, which requires the 
appropriate session types to be well-formed and the process P to offer c:A when 
provided with the appropriate session contexts. 

In the typing rules for processes (Fig. 4), presented as a set of right and left 
rules (the former identifying how to offer a session of a given type and the latter 
how to use such a session), we highlight the rules for dependently-typed com- 
munication and monadic elimination (for type-checking purposes we annotate 
constructs with the respective dependent type — this is akin to functional type 
theories). To offer a session c:dx:7.A we send a term M of type T and then offer 
a session c:A{M/«}; dually, to use such a session we perform an input along c, 
bound to x in Q, warranting a use of c as a session of (open) type A. The rules 
for the universal are dual. Offering a session c:Vx:7.A entails receiving on c a 
term of type 7 and offering c:A. Using a session of such a type requires sending 
along ca term M of type T, warranting the use of c as a session of type A{M/zx}. 

The rule for the monadic elimination form requires that the term M be of 
the appropriate monadic type and that the provided channels uj and y; adhere 
to the typing specified in M’s type. Under these conditions, the process Q may 
then use the session c as session A. The type conversion rules reflect session type 
definitional equality in typing. 
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(TT) UTE) 
WEer:type Wate M:o WEM: Iae:t.0 VEN: 
Wh Xa:7.M : Wa:t.0 YEMN:o{N/x} 
QH) ooo (Conv) 
Vi,gj WE Ai, By: stype Wuj:Bj;di: Ai PsacA WEKM:7r WEr=o:: type 
Y F {c 4+ P 4+ Tj; di} : {u;:Bj; di : Ai F c:A} VWEM:a 


Fig. 3. Typing for terms (Excerpt — See [32]) 


(R) GL) 

WtEM:r Pr; AFP: c&A{M/r} PET: type Yr; r; A,cAF Q: dD 

Y; T; AF e(M)az:7.4.P :: c:5a@:7.A W ; T; A, c&3x:T.A F c(x:7).Q :: d:D 

(VR) (VL) 

Weritype War; T;ArPscA WLM: W;T;A,cA{M/xc}+ Q: dD 
WT; AF c(a:t).P :: cNVa:7.A Y; D; A, ceNa:7.Ab e(M)ye:7.4-Q 1: dD 

(DE) 


A =di: Bi wj: Cr VEM: {uj:Cj;di:Bi Fb cA} Yr; A,cAFQ: zC 
Y: r; A, AF cee MeT; gQ: aC 
(ConvR) (ConvL) 
WT; Ab P:2:A WEA=B:stype UIA FP 2:A UI; A’ S= WT; A 
WT; AFP: zB WT; AFP: 2:A 


WP; AKP:cA WT; A',cAbKQ:d4:D 


cut) PA, W Ewe? | O) nD 


Fig. 4. Typing for processes (Excerpt — See [32]) 


Definitional Equality. The crux of any dependent type theory lies in its def- 
initional equality. Type equality relies on equality of terms which, by including 
the monadic construct, necessarily relies on a notion of process equality. 

Our presentation of an intensional definitional equality of terms follows that 
of [12], where we consider an intrinsically typed relation, including @ and 7 
conversion (similarly for type equality which includes 8 and 7 principles for the 
type-level A-abstractions). An excerpt of the rules for term equality is given in 
Fig. 5. The remaining rules are congruence rules and closure under symmetry, 
reflexivity and transitivity. Rule (TMEq/) captures the 3-reduction, identifying 
a A-abstraction applied to an argument with the substitution of the argument in 
the function body (typed with the appropriately substituted type). We highlight 
rule (TMEq{}7), which codifies a general 7-like principle for arbitrary terms of 
monadic type: We form a monadic term that applies the monadic elimination 
form to M, forwarding the result along the appropriate channel, which becomes 
a term equivalent to M. 
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(TMEqs) (TMEqn) 
WeEritype Wark>M:o WEN: tr WEM: Ia:t.0 xg fu(M) 
WE (Ag:7.M) N = M{N/x}: o{ N/x} Wh Ax:T.M x = M : I x:7.0 


(TMEq{}7) 


WE M : {u;:Bj; di: A; F c:A} 
WF {c+ (ye M; u; di; ly © cd) — uz; di} = M : {u;:Bj; di: Ai F c:A} 


Fig. 5. Definitional equality of terms (Excerpt — See [32]) 


Yr; AF P:zA P>Q W;T;ArQ:2:A 
Yr; AF P=Q:zA 


(PEqRed) 


(PEqVn) 


W;T;dNa:7.A' c(x).d(x).[d © c] = [d 4 c] :: cVa:7.A 


Y: r; AFP: dB W,e:7;T;A',d:BEKQ:cA 


(PEqCCY) Y: T; A, A' H (vd) (P | c(x).Q) = e(x).(vd)(P | Q) : eNa:7.A 


Fig. 6. Definitional equality of processes (Excerpt — See [32]) 


Definitional equality of processes is summarised in Fig. 6. We rely on process 
reduction defined below. Definitional equality of processes consists of the usual 
congruence rules, (typed) reductions and the commutting conversions of linear 
logic and 7-like principles, which allows for forwarding actions to be equated with 
the primitive syntactic forwarding construct. Commutting conversions amount 
to sound observational equivalences between processes [22], given that session 
composition requires name restriction (embodied by the (cut) rule): In rule 
(PEqCCV), either process can only be interacted with via channel c and so post- 
poning actions of P to after the input on c (when reading the equality from left 
to right) cannot impact the process’ observable behaviours. While P can in gen- 
eral interact with sessions in A (or with Q), these interactions are unobservable 
due to hiding in the (cut) rule. 


Operational Semantics. The operational semantics for the A-calculus is stan- 
dard, noting that no reduction can take place inside monadic terms. The opera- 
tional (reduction) semantics for processes is presented below where we omit clo- 
sure under structural congruence and the standard congruence rules [4, 25,29]. 
The last rule defines spawning a process in a monadic term. 


c(M).P | e(x).Q > P | Q{M/zx} ex).P | e(x).Q > (va) (P | Q) E 
le(x).P | C(x).Q — !e(x).P | (vx)(P | Q) c.case{li > Pi} | ¢c-l3;Q > P; |Q (lj € li) 
(uc)(P | [e > d]) > P{d/c} ce {c P e T; di} — Uj; di; Q > (ve)(P | Q) 
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2.3 Example — Reasoning About Processes Using Dependent Types 


The use of type indices (i.e. type families) in dependently typed frameworks 
adds information to types to produce more refined specifications. Our framework 
enables us to do this at the level of session types. 

Consider a session type that “counts down” on a natural number (we assume 
inductive definitions and dependent pattern matching in the style of [21]): 


countDown :: ITa:Nat.stype 
countDown (succ(n)) = Sy:Nat.countDown(n) 
countDown z =1 


The type family countDown(n) denotes a session type that emits exactly n num- 
bers and then terminates. We can now write a (dependently-typed) function that 
produces processes with the appropriate type, given a starting value: 


counter : a:Nat.{countDown(x)} 
counter (succ(n)) = {c — c(succ(n)).d — counter(n); [d > c]} 
counter z = {c — 0} 


Note how the type of counter, through the type family countDown, allows us 
to specify exactly the number of times a value is sent. This is in sharp contrast 
with existing recursive (or inductive/coinductive [18,30]) session types, where 
one may only specify the general iterative nature of the behaviour (e.g. “send a 
number and then recurse or terminate” ). 

The example above relies on session type indexing in order to provide addi- 
tional static guarantees about processes (and the functions that generate them). 
An alternative way is to consider “simply-typed” programs and then prove that 
they satisfy the desired properties, using the language itself. Consider a simply- 
typed version of the counter above described as an inductive session type: 


simpleCounterT :: stype 
simpleCounterT = {dec : Nat A simpleCounterT, done : 1} 


There are many processes that correctly implement such a type, given that the 
type merely dictates that the session outputs a natural number and recurses 
(modulo the dec and done messages to signal which branch of the internal choice 
is taken). A function that produces processes implementing such a session, mir- 
roring those generated by the counter function above, is: 


simpleCounter : Nat — {simpleCounterT } 

simpleCounter (succ(n)) = {c — c.dec; (vd)(d(succ(n)).0 | d(x).c(x). 
d — simpleCounter(n); [d > c])} 

simpleCounter z = {c — c.done; 0} 


The process generated by simpleCounter, after emiting the dec label, spawns a 
process in parallel that sends the appropriate number, which is received by the 
parallel thread and then sent along the session c. Despite its simplicity, this 
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example embodies a general pattern where a computation is spawned in parallel 
(itself potentially spawning many other threads) and the main thread then waits 
for the result before proceeding. 

While such a process is typable in most session typing frameworks, our theory 
enables us to prove that the counter implementation above indeed counts down 
from a given number by defining an appropriate (inductive) type family, indexed 
by monadic values (i.e. processes): 


corrCount :: ITa:Nat.7y:{simpleCounterT }.type 

corr, : corrCount z {c — c.done; 0} 

COM ny, : IIn:Nat.J7P:{simpleCounterT }.corrCount n P > 
corrCount (succ(n)) {c — c.dec; c(succ(n)).d — P; [d > c]} 


The type family corrCount, indexed by a natural number and a monadic value 
implementing the session type simpleCounter, is defined via two constructors: 
corr,, which specifies that a correct 0 counter emits the done label and terminates; 
and corr,, which given a monadic value P that is a correct n-counter, defines 
that a correct (n + 1)-counter emits n + 1 and then proceeds as P (modulo the 
label emission bookkeeping). 

The proof of correctness of the simpleCounter function above is no more than 
a function of type IZn:Nat.corrCount n (simpleCounter(n)), defined below: 


prf : ITn:Nat.corrCount n (simpleCounter(7)) 
prf z = corr, 
prf (succ(n)) = corr, n (simpleCounter(n)) (prf n) 


Note that in this scenario, the processes that index the corrCount type fam- 
ily are not syntactically equal to those generated by simpleCounter, but rather 
definitionally equal. 

Typically, the processes that index such correctness specifications tend to 
be distilled versions of the actual implementations, which often perform some 
additional internal computation or communication steps. Since our notion of 
definitional equality of processes includes reduction (and also commuting con- 
versions which account for type-preserving shuffling of internal communication 
actions [26]), the type conversion mechanism allows us to use the techniques 
described above to generally reason about specification conformance. 


2.4 Type Soundness of the Framework 


The main goal of this section is to present type soundness of our framework 
through a subject reduction result. We also show that our theory guarantees 
progress for terms and processes. The development requires a series of auxiliary 
results (detailed in [32]) pertaining to the functional and process layers which are 
ultimately needed to produce the inversion properties necessary to establish sub- 
ject reduction. We note that strong normalisation results for linear-logic based 
session processes are known in the literature [3,26,30], even in the presence 
of impredicative polymorphism, restricted corecursion and higher-order data. 
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Such results are directly applicable to our work using appropriate semantics 
preserving type erasures. 

In the remainder we often write W + J to stand for a well-formedness, 
typing or definitional equality judgment of the appropriate form. Similarly for 
w;T; At J. We begin with the substitution property, which naturally holds for 
both layers, noting that the dependently typed nature of the framework requires 
substitution in both contexts, terms and in types. 


Lemma 2.1 (Substitution). Let YA M:r: 


1. If W,a:7,0'+ J then VW, W'{M/a}+ F{M/c}; 
2. If W,a:7,W';0T; AF I then VW {M/x}; P{M/x}; A{M/x}+ J{M/x} 


Combining substitution with a form of functionality for typing (i.e. that substi- 
tution of equal terms in a well-typed term produces equal terms) and for equality 
(i.e. that substitution of equal terms in a definitional equality proof produces 
equal terms), we can establish validity for typing and equality, which is a form 
of internal soundness of the type theory stating that judgments are consistent 
across the different levels of the theory. 


Lemma 2.2 (Validity for Typing). (1) fY F 7::K or W + A::K then 
Wt K; (2) [fb M: 7 then YF rT: type; and (3) If UW; r; At P::2:A then 
Wt A::stype. 


Lemma 2.3 (Validity for Equality) 


_IfWFM=N:7 thenW+M:7,¥tN:7 andWF7T:: type 

fw r=o::K thenWer:K,Wbo: K andVUt K 

If- A=B:K thena YF A::K,WEB::K ant% K 

IfW+ K= K' then YH K andVt K' 

. IFP; AF P= Q22z:A then Yr; A F P:zA, Vr; AF Q::2:A and 
Wt A::stype. 


as woes 


With these results we establish the appropriate inversion and injectivity prop- 
erties which then enable us to show unicity of types (and kinds). 


Theorem 2.4 (Unicity of Types and Kinds) 

1.1 Yb M:7 andWt+M: 7’ then WF +r =7':: type 

2. 1f Wb 7: K andWt 7::K' thenWt+ K = K' 

8. IU; r; Ab P:2:A and Y; r; AF P::2:A' then YF A= A ::stype 
4. If UF A: K andWt+ A: K' then YH K= K. 


All the results above, combined with the process-level properties established 
in [5,26,27] enable us to show the following: 


Theorem 2.5 (Subject Reduction — Terms). If% H- M:7 and M —> M' 
then WF M': +. 


Theorem 2.6 (Subject Reduction — Processes). If Y; r; At P::2:A and 
P — P' then IQ such that P! = Q and Y; r; AF Q::2:A. 
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Theorem 2.7 (Progress — Terms). If Y} M:7 then either M is a value 
or M > M'. 


As common in logical-based session type theories, typing enforces a strong 
notion of global progress which states that closed processes that are waiting to 
perform communication actions cannot get stuck (this relies on a notion of live 
process, defined as live(P) if P = (vn)(7.Q | R) for some process R, sequence of 
names 7 and a non-replicated guarded process 7.Q). We note that the restricted 
typing for P is without loss of generality, due to the (cut) rule. 


Theorem 2.8 (Progress — Processes). If %-;-  P::c:1 and live(P) then 
JQ such that P > Q. 


3 Embedding the Functional Layer in the Process Layer 


Having introduced our type theory and showcased some of its informal expres- 
siveness in terms of the ability to specify and statically verify true data dependent 
protocols, as well as the ability to prove properties of processes, we now develop 
a formal expressiveness result for our theory, showing that the process level type 
constructs are able to encode the dependently-typed functional layer, faithfully 
preserving type dependencies. 

Specifically, we show that (1) the type-level constructs in the functional 
layer can be represented by those in the process layer combined with the con- 
textual monad type, and (2) all term level constructs can be represented by 
session-typed processes that exchange monadic values. Thus, we show that both 
A-abstraction and application can be eliminated while still preserving non-trivial 
type dependencies. Crucially, we note that the monadic construct cannot be fully 
eliminated due to the cross-layer nature of session type dependencies: In the pro- 
cess layer, simply-kinded dependent types (i.e. types with kind stype) are of the 
form Va:7.A where 7 is of kind type and A of kind stype (where x may occur). 
Operationally, such a session denotes an input of some term M of type T with a 
continuation of type A{M/«}. Thus, to faithfully encode type dependencies we 
cannot represent such a type with a non-dependently typed input (e.g. a type 
of the form A — B). 


3.1 The Embedding 


A first attempt. Given the observation above, a seemingly reasonable option 
would be to attempt an encoding that maintains monadic objects solely at the 
level of type indices and then exploits Girard’s encoding [9] of function types 
T > 0 as !|T] — [oe], which is adequate for session-typed processes [28]. Thus 
a candidate encoding for the type I/x:t.0 would be Vx:{[7]}-.![7] — lo], where 
[—] denotes our encoding on types. If we then consider the encoding at the level 
of terms, typing dictates the following (we write |M], for the process encoding 


Depending on Session-Typed Processes 139 


of M : 7, where z is the session channel along which one may observe the “result” 
of the encoding, typed with [7]): 


[Az:7.M], = 2(x).2(2").[M], 
[MN], = (vx)([M], | e({ IN] ,})-2(e') (!e’(y)-EN], | fe © e 


However, this candidate encoding breaks down once we consider definitional 
equality. Specifically, compositionality (i.e. the relationship between [M{N/z}], 
and the encoding of N substituted in that of M) requires us to relate [M{N/z}], 
with (vx)([M]{{]N],}/2} | !2"(y)-[N],), which relies on reasoning up-to 
observational equivalence of processes, a much stronger relation than our notion 
of definitional equality. Therefore it is fundamentally impossible for such an 
encoding to preserve our definitional equality, and thus it cannot preserve typ- 
ing in the general case. 


A faithful embedding. We now develop our embedding of the functional layer 
into the process layer which is compatible with definitional equality. Our target 
calculus is reminiscent of a higher-order (in the sense of higher-order processes 
[23]) session calculus [19]. Our encoding [—] is inductively defined on kinds, 
types, session types, terms and processes. As usual in process encodings of the 
A-calculus, the encoding of a term M is indexed by a result channel z, written 
[M],, where the behaviour of M may be observed. 


Aa:7.M]. = z(x).z(x").[M]- 


MN]: vx)([M]x | zAIN]y)) -T.-C (4) IN] | e © z) 
Kind: 
type] £ stype stype]] £ stype 
Hx:t.K] ê TWa:{[7]}-[K] Ht :: Kı.K2] £ Tt: ].[ Ko] 
Functional: a 
Tx:t.0] = Va2:{[r]}-[o] {uj:B;;di:Bi + c:A}] £ ![B;] — [Bi] — [A] 
Ax:T.0] £ dx:{[7]} [eo] TM] £ Fr]{[M]e} 
PEK] * At:[K].[r] Tol £2 fr] [øo] 
Yx:T.A] £ Va:{[7]}- [A] dax:7. A] 4 3x:{[7]}- [A] 
Ag:t.A] + dAw:{[r]}-] A] AM] 2 JA) {[M]e} 
Terms: 
Az:T.M]z £ z(x2:{[r]}).[M]- M N]: Ê (vx)([M]x | o({[N]v})-[¢ © 21) 
z]: £ y = z; [y oz Hz & P & T; dije = z(uo)..... z(uj)-z(do)..... z(dn).[P] 
Processes: 
(vx)(P | Q)] 2 (vz)([P]|[Q]) [0] +0 [zy).(P Q] = z(y).(LP1 IRD 
«(M).P] 2 x({{M]y})-[P] [x(y)-P] = x(y).[P] 
c+ M e W; Q] Ê (ve)([M]c | €(v1).(@i(ar)-[ar vi] |---| 


e(di).([yr © di] | «++ | €(dn).([yn © dn] | IQD...) 


Fig. 7. An embedding of dependent functions into processes 
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The embedding is presented in Fig.7, noting that the encoding extends 
straightforwardly to typing contexts, where functional contexts W,x:7 are 
mapped to {[W]}, x:{[7]}. The mapping of base kinds is straightforward. Depen- 
dent kinds [Tx:7.K rely on the monad for well-formedness and are encoded as 
(session) kinds of the form ITx:{[7]}.[K]. The higher-kinded types in the func- 
tional layer are translated to the corresponding type-level constructs of the pro- 
cess layer where all objects that must be type-kinded rely on the monad to satisfy 
this constraint. For instance, Ax:7T.0 is mapped to the session-type abstraction 
Ax:{[T]}.o] and the type-level application + M is translated to [7] {[/],}-. 
Given the observation above on embedding the dependent function type ITz:7.0, 
we translate it directly to Vx:{[7]}.[o], that is, functions from 7 to ø are mapped 
to sessions that input processes implementing [7] and then behave as [o] accord- 
ingly. The encoding for monadic types simply realises the contextual nature of 
the monad by performing a sequence of inputs of the appropriate types (with 
the shared sessions being of ! type). 

The mutually dependent nature of the framework requires us to extend 
the mapping to the process layer. Session types are mapped homomorphically 
(e.g. [A — B] = [A] — [B]) with the exception of dependent inputs and out- 
puts which rely on the monad, similarly for type-level functions and application. 

The encoding of A-terms is guided by the embedding for types: the abstrac- 
tion Ax:7.M is mapped to an input of a term of type {[7]} with continuation 
[44] .; application M N is mapped to the composition of the encoding of M ona 
fresh name x with the corresponding output of {[N],}, which is then forwarded 
to the result channel z; monadic expressions are translated to the appropriate 
sequence of inputs, as dictated by the translation of the monadic type; and, 
the translation of variables makes use of the monadic elimination form (since 
the encoding enforces variables to always be of monadic type) combined with 
forwarding to the appropriate result channel. 

The mapping for processes is mostly homomorphic, using the monad con- 
structor as needed. The only significant exception is the encoding for monadic 
elimination which must provide the encoded monadic term [M], with the neces- 
sary channels. Since the session calculus does not support communication of free 
names this is achieved by a sequence of outputs of fresh names combined with 
forwarding of the appropriate channel. To account for replicated sessions we must 
first trigger the replication via an output which is then forwarded accordingly. 

We can illustrate our encoding via a simple example of an encoded function 
(we omit type annotations for conciseness): 


[(ax-2) (Ax ayy), = (vo) (Deal), | e({[ax.Ay-y].,})-[e 2) 
= (voj(elx).y — z ly > d | el{w(x).w(y).d — y; {d > w)}).[e = 2) 
>+ 2(2).2(y).d— yild 2] = Doral, 


3.2 Properties of the Embedding 


We now state the key properties satisfied by our embedding, ultimately resulting 
in type preservation and operational correspondence. For conciseness, in the 
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statements below we list only the cases for terms and processes, omitting those 
for types and kinds (see [32]). The key property that is needed is a notion of 
compositionality, which unlike in the sketch above no longer falls outside of 
definitional equality. 


Lemma 3.1 (Compositionality) 


1. UP; AF [M{N/2}], = [M] {{IN],}/2}: 21A(N/o}] 
BA) Oda Ae OA Ase 


Given the dependently typed nature of the framework, establishing the key 
properties of the encoding must be done simultaneously (relying on some auxil- 
iary results — see [32]). 


Theorem 3.2 (Preservation of Equality) 


1. fU M=N:7 then {M]}55-- IM]; = DW], zr] 
2. If; r; AF P=Q::2:A then {[¥]}; [2]; [A] A- IP] = [Q]:: z:[A]- 


Theorem 3.3 (Preservation of Typing) 


1. IY M:7 then {(W]}s3-- [M], =: [7] 
2. If UW; r; AF P:z:A then {[¥]}; IT]; [A] A LP] = zA]. 


Theorem 3.4 (Operational Correspondence). Jf Y;r;A + P::2:A and 
Wt M:7 then: 


1. (a) If P > P' then [P] >~ Q with {(M]}; IT]; [A] + Q = [P']:: z:[A] and 
(b) if [P] > P’ then P 3* Q with {(¥]}; [7]; [4] + P’ = [Q] :: [A] 

2. (a) If M > M' then [M], => N with {(W]};5-4 N = [M], 2: z:[7] and 
(b) if [M], > P then M > N with {[@]}s-;-- IN], = P=: 2:[7].- 


In Theorem 3.4, (a) is commonly referred to as operational completeness, 
with (b) establishing soundness. As exemplified above, our encoding satisfies a 
very precise operational correspondence with the original \-terms. 


4 Related and Future Work 


Enriching Session Types via Type Structure. Exploiting the linear logical 
foundations of session types, [25] considers a form of value dependencies where 
session types can state properties of exchanged data values, while the work [29] 
introduces the contextual monad in a simply-typed setting. Our development 
not only subsumes these two works, but goes beyond simple value dependencies 
by extending to a richer type structure and integrating dependencies with the 
contextual monad. Recently, [1] considers a non-conservative extension of linear 
logic-based session types with sharing, allowing true non-determinism. Their 
work includes dependent quantifications with shared channels, but their type 
syntax does not include free type variables, so the actual type dependencies 
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do not arise (see [1, 37:8]). Thus none of the examples in this paper can be 
represented in [1]. The work [16] studies gradual session types. To the best of 
our knowledge, the main example in [1, Sect. 2] is statically representable in our 
framework as in the example of Sect. 1, where protocol actions depend on values 
that are communicated (or passed as function arguments). 

In the context of multiparty session types, the theory of multiparty indexed 
session types is studied in [7], and implemented in a protocol description lan- 
guage [20]. The main aim of these works is to use indexed types to represent 
an arbitrary number of session participants. The work [31] extends [25] to mul- 
tiparty sessions in order to treat value dependency across multiple participants. 
Extending our framework to multiparty [15] or non-logic based session types [14] 
is an interesting future topic. 


Combining Linear and Dependent Types. Many works have studied the 
various challenges of integrating linearity in dependent functional type theories. 
We focus on the most closely related works. The work [6] introduced the Linear 
Logical Framework (LLF), integrating linearity with the LF [11] type theory, 
which was later extended to the Concurrent Logical Framework (CLF) [33], 
accounting for further linear connectives. Their theory is representable in our 
framework through the contextual monad (encompassing full intuitionistic linear 
logic), depending on linearly-typed processes that can express dependently typed 
functions (Sect. 3). 

The work of [17] integrates linearity with type dependencies by extending 
LNL [2]. Their work is aimed at reasoning about imperative programs using a 
form of Hoare triples, requiring features that we do not study in this work such 
has proof irrelevance and computationally irrelevant quantification. Formally, 
their type theory is extensional which introduces significant technical differences 
from our intensional type theory, such as a realisability model in the style of 
NuPRL [10] to establish consistency. 

Recently, [8] proposed an extension of LLF with first-class contexts (which 
may contain both linear and unrestricted hypotheses). While the contextual 
aspects of their theory are reminiscent of our contextual monad, their framework 
differs significantly from ours, since it is designed to enable higher-order abstract 
syntax (commonplace in the LF family of type theories), focusing on a type 
system for canonical LF objects with a meta-language that includes contexts 
and context manipulation. They do not consider additives since their integration 
with first-class contexts can break canonicity. 

While none of the above works considers processes as primitive, their tech- 
niques should be useful for, e.g. developing algorithmic type-checking and inte- 
grating inductive and coinductive session types based on [18, 26,30]. 


Dependent Types and Higher-Order z-calculus. The work [35] studies a 
form of dependent types where the type of processes takes the form of a mapping 
A from channels z to channel types T representing an interface of process P. The 
dependency is specified as J (x:T)A, representing a channel abstraction of the 
environment. This notion is extended to an existential channel dependency type 
X(x:T)A to address fresh name creation [13,34]. Combining our process monad 
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with dependent types can be regarded as an “interface” which describes explicit 
channel usages for processes. The main differences are (1) our dependent types 
are more general, treating full dependent families including terms and processes 
in types, while [13,34,35] study only channel dependency to environments (i.e. 
neither terms nor processes appear in types, only channels); and (2) our calculus 
emits only fresh names, not needing to handle the complex scoping mechanism 
treated in [13,34]. In this sense, the process monad provides an elegant framework 
to handle higher-order computations and assign non-trivial types to processes. 
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Abstract. Instead of a monolithic programming language trying to 
cover all features of interest, some programming systems are designed 
by combining together simpler languages that cooperate to cover the 
same feature space. This can improve usability by making each part sim- 
pler than the whole, but there is a risk of abstraction leaks from one 
language to another that would break expectations of the users familiar 
with only one or some of the involved languages. 

We propose a formal specification for what it means for a given lan- 
guage in a multi-language system to be usable without leaks: it should 
embed into the multi-language in a fully abstract way, that is, its con- 
textual equivalence should be unchanged in the larger system. 

To demonstrate our proposed design principle and formal specification 
criterion, we design a multi-language programming system that combines 
an ML-like statically typed functional language and another language 
with linear types and linear state. Our goal is to cover a good part of the 
expressiveness of languages that mix functional programming and linear 
state (ownership), at only a fraction of the complexity. We prove that the 
embedding of ML into the multi-language system is fully abstract: func- 
tional programmers should not fear abstraction leaks. We show examples 
of combined programs demonstrating in-place memory updates and safe 
resource handling, and an implementation extending OCaml with our 
linear language. 


1 Introduction 


Feature accretion is a common trend among mature but actively evolving pro- 
gramming languages, including C++, Haskell, Java, OCaml, Python, and Scala. 
Each new feature strives for generality and expressiveness, and may provide a large 
usability improvement to users of the particular problem domain or programming 
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style it was designed to empower (e.g., XML documents, asynchronous commu- 
nication, staged evaluation). But feature creep in general-purpose languages may 
also make it harder for programmers to master the language as a whole, degrade the 
user experience (e.g., leading to more cryptic error messages), require additional 
work on the part of tooling providers, and lead to fragility in language implemen- 
tations. 

A natural response to increased language complexity is to define subsets 
of the language designed for a better programming experience. For instance, a 
subset can be easier to teach (e.g., “Core” ML', Haskell 98 as opposed to GHC 
Haskell, Scala mastery levels”); it can facilitate static analysis or decrease the 
risk of programming errors, while remaining sufficiently expressive for the target 
users’ needs (e.g., MISRA C, Spark/Ada); it can enforce a common style within 
a company; or it can be designed to encourage a transition to deprecate some 
ill-behaved language features (e.g., strict Javascript). 

Once a subset has been selected, it may be the case that users write whole 
programs purely in the subset (possibly using tooling to enforce that property), 
but programs will commonly rely on other libraries that are not themselves imple- 
mented in the same subset of the language. If users stay in the subset while using 
these libraries, they will only interact with the part of the library whose interface 
is expressible in the subset. But does the behavior of the library respect the expec- 
tations of users who only know the subset? When calling a function from within 
the subset breaks subset expectations, it is a sign of leaky abstraction. 

How should we design languages with useful subsets that manage complexity 
and avoid abstraction leaks? 

We propose to look at this question from a different, but equivalent, angle: 
instead of designing a single big monolithic language with some nicer subsets, we 
propose to consider multi-language programming systems where several smaller 
programming languages interact together to cover the same feature space. Each 
language or sub-combination of languages is a subset, in the above sense, of the 
multi-language, and there is a clear definition of abstraction leaks in terms of user 
experience: a user who only knows some of the languages of the system should be 
able to use the multi-language system, interacting with code written in the other 
languages, without have their expectations violated. If we write a program in Java 
and call a function that, internally, is implemented in Scala, there should be no 
surprises—our experience should be the same as when calling a pure Java function. 
Similarly, consider the subset of Haskell that does not contain I0 (input-output as 
a type-tracked effect): the expectations of a user of this language, for instance in 
terms of valid equational reasoning, should not be violated by adding I0 back to 
the language—in the absence of the abstraction-leaking unsafePerformI0. 

We propose a formal specification for a “no abstraction leaks” guarantee 
that can be used as a design criterion to design new multi-language systems, 
with graceful interoperation properties. It is based on the formal notion of full 
abstraction which has previously been used to study the denotational semantics 


1 https: //caml inria.fr/pub/docs/u3-ocaml/ocaml-ml.html. 
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of programming languages (Meyer and Sieber 1988; Milner 1977; Cartwright and 
Felleisen 1992; Jeffrey and Rathke 2005; Abramsky, Jagadeesan, and Malacaria 
2000), and the formal property of compilers (Ahmed and Blume 2008, 2011; 
Devriese et al. 2016; New et al. 2016; Patrignani et al. 2015), but not for user- 
facing languages. A compiler C from a source language S to a target language 
T is fully abstract if, whenever two source terms sı and s2 are indistinguishable 
in S, their translations C(s,) and C(s2) are indistinguishable in T. In a multi- 
language G+ E formed of a general-purpose, user-friendly language G and a 
more advanced language F—one that provides an escape hatch for experts to 
write code that can’t be implemented in G—we say that E does not leak into G 
if the embedding of G into the multi-language G + E is fully abstract. 

To demonstrate that our formal specification is reasonable, we design a novel 
multi-language programming system that satisfies it. Our multi-language AYL 
combines a general-purpose functional programming language AY} (unrestricted) 
of the ML family with an advanced language A! (linear) with linear types and 
linear state. It is less convient to program in \‘’s restrictive type system, but 
users can write programs in àb that could not be written in AY: they can use 
linear types, locally, to enforce resource usage protocols (typestate), and they 
can use linear state and the linear ownership discipline to write programs that 
do in-place update to allocate less memory, yet remain observationally pure. 

Consider for example the following mixed-language program. The blue frag- 
ments are written in the general-purpose, user-friendly functional language, while 
the red fragments are written in the linear language. The boundaries UL and 
LU allow switching between languages. The program reads all lines from a file, 
accumulating them in a list, and concatenating it into a single string when the 
end-of-file (EOF) is reached. 
let concat_lines path : String = UL( 

loop (open LU(path)) LU(Nil) 
where rec loop handle LU(acc : List String) = 

match line handle with 

| Next line LU(handle) -> loop handle LU(Cons line acc) 

| EOF handle -> close handle; LU(rev_concat "\n" acc)) 


The linear type system ensures that the file handle is properly closed: removing 
the close handle call would give a type error. On the other hand, only the parts 
concerned with the resource-handling logic need to be written in the red linear 
language; the user can keep all general-purpose logic (here, how to accumulate 
lines and what to do with them at the end) in the more convenient general- 
purpose blue language—and call this function from a blue-language program. 
Fine-grained boundaries allow users to rely on each language’s strength and to 
use the advanced features only when necessary. 

In this example, the file-handle API specifies that the call to line, which reads 
a line, returns the data at type ![String]. The latter represents how U values of 
type String can be put into a lump type to be passed to the linear world where 
they are treated as opaque blackboxes that must be passed back to the ML 
world for consumption. For other examples, such as in-place list manipulation 
or transient operations on an persistent data structure, we will need a deeper 
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form of interoperability where the linear world creates, dissects or manipulates 
U values. To enable this, our multi-language supports translation of types from 
one language to the other, using a type compatibility relation o ~ o between AY 
types o and A! types o. 

We claim the following contributions: 


1. We propose a formal specification of what it means for advanced language 
features to be introduced in a (multi-)language system without introducing a 
class of abstraction leaks that break equational reasoning. This specification 
captures a useful usability property, and we hope it will help us and others 
design more usable programming languages, much like the formal notion of 
principal types served to better understand and design type inference systems. 

2. We design a simple linear language, AL, that supports linear state (Sect. 2). 
This simple design for linear state is a contribution of its own. A nice prop- 
erty of the language (shared by some other linear languages) is that the 
code has both an imperative interpretation—with in-place memory update, 
which provides resource guarantees—and a functional interpretation—which 
aids program reasoning. The imperative and functional interpretations have 
different resource usage, but the same input/output behavior. 

3. We present a multi-language programming system AYL combining a core ML 
language, A} (U for Unrestricted, as opposed to Linear) with A‘ and prove 
that the embedding of the ML language AY in AY" is fully abstract (Sect. 3). 
Moreover, the multi-language is designed to ensure that our full abstraction 
result is stable under extension of the embedded ML language AV. 


2 The AY and A! Languages 


The unrestricted language AY is a run-of-the-mill idealized ML language with 
functions, pairs, sums, iso-recursive types and polymorphism. It is presented in 
its explicitly typed form—we will not discuss type inference in this work. The 
full syntax is described in Fig.1, and the typing rules in Fig.2. The dynamic 
semantics is completely standard. Having binary sums, binary products and iso- 
recursive types lets us express algebraic datatypes in the usual way. 

The novelty lies in the linear language A‘, which we present in several steps. 
As is common in -calculi with references, the small-step operational semantics 
is given for a language that is not exactly the surface language in which programs 


Types o =a |01 Xo | 1| oi >o | o1+02 | pao | Yao 
Expr. e :=x | (e1,e2) | mie | m2e | O | e1;e2 | A(x:0).e | 1 e2 | 

inj;e | casee’ of x1. e1 | x2.€2 | foldya.ce | unfolde | Aa.e | e [oc] 
Values v : 
Contexts I ::=- | T,x:0o | T,a 


x | wi, v2) | O | åA(x:0).e | injyv | injav | foldya.cv | Aa. v 


Fig. 1. Unrestricted language: syntax 
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I'hye:o 
xio EL Ikye:l THe: 
I Fux: Troet Thu ese’ o 
[Fy e1 i901 T Fo e2 : 02 I Fue: Xoo 
I Fy (e1, e2) : 01 X 02 I Fu mie: 0% 
D, x:o kue: Thye:o >o Thye:o’ 
I Fu X(x:a).e: 030" Thvee:a 
Pix Poy Fy Que 
I Fy e: 0; [Fy e:01+02 I,xX2:02Fue2:0 
I Fu inje : 01 + 02 I Fy case eof xı. e1 | x2. €2 : o 
I Fu e: olua. o/a] I Fu e: ya.o 
T Fa foldna.c €: pag I Fu unfolde : o[ua. c/a] 
Tyatuvio I Fy e: Va. Tkg 
[ky Aa. v : Væ. o T Fu e [o] : ofo'/a] 


Fig. 2. Unrestricted language: static semantics 


are written, because memory allocation returns locations ¢ that are not in the 
grammar of surface terms. Reductions are defined on configurations, a local 
store paired with a term in a slightly larger internal language. We have two 
type systems, a type system on surface terms, that does not mention locations 
and stores—which is the one a programmer needs to know—and a type system 
on configurations, which contains enough static information to reason about the 
dynamics of our language and prove subject reduction. Again, this follows the 
standard structure of syntactic soundness proofs for languages with a mutable 
store. 


2.1 The Core of At 


Figure 3 presents the surface syntax of our linear language A‘. For the syntactic 
categories of types o, and expressions e, the last line contains the constructions 
related to the linear store that we only discuss in Sect. 2.2. 

In technical terms, our linear type system is exactly propositional intuition- 
istic linear logic, extended with iso-recursive types. For simplicity and because 
we did not need them, our current system also does not have polymorphism or 
additive/lazy pairs cı & c2. Additive pairs would be a trivial addition, but poly- 
morphism would require more work when we define the multi-language semantics 
in Sect. 3. 

In less technical terms, our type system can enforce that values be used linearly, 
meaning that they cannot be duplicated or erased, they have to be deconstructed 
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Types o := 01802 | 1 | o1-~02 | 01 Go2 | pa.o | a | !o | Box lo | BoxO 
x | (e1,€2) | let (vi,v2) =e1 ines | () | e1;e2 | A(x:0).e | e1 e | 
inje | injoe | casee’ of x1.e1 | x2.e2 | foldya.ce | unfolde | 

sharee | copy e | new e | freee | box e | unboxe 


Expr. en: 


Values v =x | (v1,v2) | O | A(K:¢).€ | injiv | injov | foldye.cv | sharev 


Conterts [= - | T,x:0 


Fig. 3. Linear language: surface syntax 


exactly once. Only some types have this linearity restriction; others allow duplica- 
tion and sharing of values at will. We can think of linear values as resources to be 
spent wisely; for any linear value somewhere in a term, there can be only one way 
to access this value, so we can interpret the language as enforcing an ownership 
discipline where whoever points to a linear value owns it. 

In particular, linear functions of type 7; — 72 must be called exactly once, 
and their results must in turn be consumed — they can safely capture linear 
resources. On the other hand, the non-linear, duplicable values are those at 
types of the form !o — the exponential modality of linear logic. If the term e has 
duplicable type !o, then the term copy e has type ø: this creates a local copy of 
the value that is uniquely-owned by its receiver and must be consumed linearily. 

This resource-usage discipline is enforced by the surface typing rules of A‘, 
presented in Fig.4. They are exactly the standard (two-sided) logical rules of 
intuitionistic linear logic, annotated with program terms. The non-duplicability 
of linear values is enforced by the way contexts are merged by the inference 
rules: if e, is type-checked in the context J and e2 in J, then the linear pair 
(e1,€2) is only valid in the combined context I; Y I>. The (Y) operation is 
partial; this combined context is defined only if the variables shared by J, and 
I> are duplicable—their type is of the form !ø. In other words, a variable at a 
non-duplicable type in I Y [> cannot possibly appear in both J, and I»: it 
must appear exactly once®. 

The expression sharee takes a term at some type g and creates a “shared” 
term, whose value will be duplicable. Its typing rule uses a context of the form ! J’, 
which is defined as the pointwise application of the (!) connectives to all the types 
in J’. In other words, the context of this rule must only have duplicable types: a 
term can only be made duplicable if it does not depend on linear resources from 
the context. Otherwise, duplicating the shared value could break the unique- 
ownership discipline on these linear resources. 

Finally, the linear isomorphism notation for fold and unfold in Fig. 4 defines 
them as primitive functions, at the given linear function type, in the empty 
context — using them does not consume resources. This notation also means 
that, operationally, these two operations shall be inverses of each other. The 
rules for the linear store type Box 1 o and Box 0 are described in Sect. 2.2. 


3 Standard presentations of linear logic force contexts to be completely distinct, but 
have a separate rule to duplicate linear variables, which is less natural for program- 
ming. 
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Iy Tə 
(P1,x:!0) Y (P2,x:!c) we (Ii Y L'2),x:!o0 
(F1,x:0) Y T2 2 (r1 Y T2), x:0 (x ¢ Tə) 
Tı Y (T2,x:0) £ (ri Y Ta), xio (xg r) 
P Heid 
likh e:o Ia F, e2 : 02 
xa Fy eee Ty Y T2 F, (e1,€2) : 01 Q02 
Ik, e:01 802 
Pa Raoa Fp e:o 
TYT h let (1,x2) =eine’: o 
ZF ees 1 te :o I, x:o he: 
Ral ryh ee: I h, A(x:0).e : o — 0" 
rF e:o'—0 T’te: 0’ hve: a; 
ryhe: I M injie: 01 Poe 
I’, x: 0 FL €&1:0 
rk e:01802 IT', x2 : o2 Fi e2 : 0 T Hence T helo 
T Y T" F, caseeof xi. e1 | x2. €2 : o II F sharee : lo I F, copy e: o 
unfold new unbox 
a.o | olpa.o/al 1- Box 0 Boxlao ° (Box0)@o 
ftoldzaz free box 
Fig. 4. Linear language: surface static semantics 
head reduction |e ~ e' (s | e) 5 (s! |e’) 
new box 
OIM T (eo 114 (seo JIE T (Ee (Iyll) 
free unbox 


(A(x:0).e) v wn elv/x| copy (share(s : W). inji v) ~> inj; copy (share(s:W).v) 


(Ø | copy (share(s:W). A(x: 0). e)) 5 (s | A(x:0).e) 
copy (share([£ ++ -]:(-;- H £: Box 0)). £) 5 new () 
copy (share([€ ++ (s | v)]: (2%; !I F £: Box 1 a)). £) 

~ box (new (), copy (share(s:W).v)) 


Fig. 5. Internal linear language: typing and reduction (excerpt) 
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2.2 Linear Memory in Ab 


The surface typing rules for the linear store are given at the end of Fig. 4. The 
linear type Box 1 o represents a memory location that holds a value of type 
a. The type Box 0 represents a location that has been allocated, but does not 
currently hold a value. The primitive operations to act on this type are given as 
linear isomorphisms: new allocates, turning a unit value into an empty location; 
conversely, free reclaims an empty location. Putting a value into the location and 
taking it out are expressed by box and unbox, which convert between a pair of 
an empty location and a value, of type (Box 0)@o, and a full location, of type 
Box lo. 

For example, the following program takes a full reference and a value, and 
swaps the value with the content of the reference: 

A(p: (Box 1 o) @a). let (r, x) = pin let (I, x.) = unbox rin (box (I, x), xz) 

The programming style following from this presentation of linear memory is func- 
tional, or applicative, rather than imperative. Rather than insisting on the muta- 
bility of references—which is allowed by the linear discipline—we may think of 
the type Box lo as representing the indirection through the heap that is implicit 
in functional programs. In a sense, we are not writing imperative programs with 
a mutable store, but rather making explicit the allocations and dereferences hap- 
pening in higher-level purely functional language. In this view, empty cells allow 
memory reuse. 


This view that Box 1 o represents indirection through the memory sug- 


gests we can encode lists of values of type o by the type LinListc = 


a.l © Box 1 (o@ a). The placement of the box inside the sum mirrors the fact 
that empty list is represented as an immediate value in functional languages. 
From this type definition, one can write an in-place reverse function on lists of 
a as follows: 
fix A(rev_ into: LinList ø — LinList ø — LinList ø). 
A(xs: LinList ø). A(acc: LinList ø). 
case unfold xs of 
| y. (y; acc) 
| y. let (I, p) = unbox yin 
let (xs, x) = pin 
rev_ into xs (fold (inj2 (box (I, (x, acc))))) 

Our linear language A‘ is a formal language that is not terribly convenient 
to program directly. We will not present a full surface language in this work, 
but one could easily define syntactic sugar to write the exact same function as 
follows: 

rev_ into Nil acc = acc 
rev_ into (Cons (x, xs)@I) acc = rev_ into xs (Cons (x, acc)@1) 

One can read this function as the usual functional rev_append function on 
lists, annotated with memory reuse information: if we assume we are the unique 
owner of the input list and won’t need it anymore, we can reuse the memory 
of its cons cells (given in this example the name |) to store the reversed list. 
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On the other hand, if you read the box and unbox as imperative operations, this 
code expresses the usual imperative pointer-reversal algorithm. 

This double view of linear state occurs in other programming systems with 
linear state. It was recently emphasized in O’Connor et al. (2016), where the 
functional point of view is seen as easing formal verification, while the imperative 
view is used as a compilation technique to produce efficient C code from linear 
programs. 


2.3 Internal A‘ Syntax and Typing 


To give a dynamic semantics for A} and prove it sound, we need to extend the 
language with explicit stores and store locations. Indeed, the allocating term 
new () should reduce to a “fresh location” / allocated in some store s, and nei- 
ther are part of the surface-language syntax. The corresponding internal typing 
judgment is more complex, but note that users do not need to know about it to 
reason about correctness of surface programs. The internal typing is essential for 
the soundness proof, but also useful for defining the multi-language semantics 
in Sect. 3. 

We work with configurations (s | e), which are pairs of a store s and a term 
e. Our internal typing judgment Y; I’ +, s | e: o checks configurations, not just 
terms, and relies not only on a typing context for variables I’ but also on a store 
typing Y, which maps the locations of the configuration to typing assumptions. 

Unfortunately, due to space limits, we will not present this part of the type 
system — which is not directly exposed to users of the language. See some exam- 
ples of reduction rules in Fig. 5, and the long version of this work. 


2.4 Reduction of Internal Terms 


In the long version of this work we give a reduction relation between linear 


L 
configurations (s | e) > (s’ | e’) and prove a subject reduction result. 


Theorem 1 (Subject reduction for àt). If W; I F, s |e: and (s | e) os 
(s’ | e’), then there exists a (unique) W such that W'; IF, s | eso. 


3 Multi-language Semantics 


To formally define our multi-language semantics we create a combined language 
AUL which lets us compose term fragments from both A} and Ab together, and 
we give an operational semantics to this combined language. Interoperability is 
enabled by specifying how to transport values across the language boundaries. 
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Multi-language systems in the wild are not defined in this way: both languages 
are given a semantics, by interpretation or compilation, in terms of a shared lower- 
level language (C, assembly, the JVM or CLR bytecode, or Racket’s core forms), 
and the two languages are combined at that level. Our formal multi-language 
description can be seen as a model of such combinations, that gives a specification 
of the expected observable behavior of this language combination. 

Another difference from multi-languages in the wild is our use of very fine- 
grained language boundaries: a term written in one language can have its sub- 
terms written in the other, provided the type-checking rules allow it. Most multi- 
language systems, typically using Foreign Function Interfaces, offer coarser- 
grained composition at the level of compilation units. Fine-grained composition 
of existing languages, as done in the Eco project (Barrett et al. 2016), is difficult 
because of semantic mismatches. In the full version of this work we demonstrate 
that fine-grained composition is a rewarding language design, enabling new pro- 
gramming patterns. 


3.1 Lump Type and Language Boundaries 


The core components the multi-language semantics are shown Fig. 6—the com- 
munication of values from one language to the other will be described in the next 
section. The multi-language \U' has two distinct syntactic categories of types, 
values, and expressions: those that come from AU and those that come from Ab. 
Contexts, on the other hand, are mixed, and can have variables of both sorts. 
For a mixed context I’, the notation !J’ only applies (!) to its linear variables. 

The typing rules of A} and A! are imported into our multi-language system, 
working on those two separate categories of program. They need to be extended 
to handle mixed contexts J’ instead of their original contexts I’ and J’. In the 
linear case, the rules look exactly the same. In the ML case, the typing rules 
implicitly duplicate all the variables in the context. It would be unsound to 
extend them to arbitrary linear variables, so they use a duplicable context !/’. 

To build interesting multi-language programs, we need a way to insert a 
fragment coming from a language into a term written in another. This is done 
using language boundaries, two new term formers LU/(e) and UL(s:V | e) that 
inject an ML term into the syntactic category of linear terms, and a linear 
configuration into the syntactic category of ML terms. 

Of course, we need new typing rules for these term-level constructions, clar- 
ifying when it is valid to send a value from XY into A! and vice versa. It would 
be incorrect to allow sending any type from one language into the other—for 
instance, by adding the counterpart of our language boundaries in the syntax 
of types—since values of linear types must be uniquely owned so they cannot 
possibly be sent to the ML side as the ML type system cannot enforce unique 
ownership. 

On the other hand, any ML value could safely be sent to the linear world. For 
closed types, we could provide a corresponding linear type (1 maps to !1, etc.), 
but an ML value may also be typed by an abstract type variable a, in which 
case we can’t know what the linear counterpart should be. Instead of trying to 


156 G. Scherer et al. 


provide translations, we will send any ML type o to the lump type |o], which 
embeds ML types into linear types. A lump is a blackbox, not a type translation: 
the linear language does not assume anything about the behavior of its values— 
the values of |o] are of the form [v], where v : ø is an ML value that the linear 
world cannot use. More precisely, we only propagate the information that ML 
values are all duplicable by sending ø to ![o}. 

The typing rules for language boundaries insert lumps when going from AY 
to A“, and remove them when going back from A‘ to AY. In particular, arbitrary 
linear types cannot occur at the boundary, they must be of the form !{o]. 


Types o | o 
o (unchanged from Figure 1) 
o +:=-- | [ol 


Values v | v 


v (unchanged from Figure 1) 
E | [y 


e tu=--- | UL(s: |e) 
with UL(e) © ULO: |e) 
e tu=--- | LU(e) 
Conterts Ps:=-|I,x:0 | Tia | T,X: 


Typing rules |I Fuu e:o P |T Fumes |eis 


with DChue:o Œ |r Fu ble:0 


(Typing rules of I’ Hu e : o reused, with mixed context !°) 
(Typing rules of Y; I F, s | e : o reused, with mixed context I’) 


IP Fuge Y |!I Fu s |e: l[o] 
-| II For O | LU (e) : l[o] II Fiu UL(s: |e): o 


Reduction rules 


(Reduction rules of A” and A reused unchanged) 


LU(v) ~ [y] UL(O:- | share [v]) oy 


W\Ckusle:o (s| (S]e) W|Ptus’le:o 


UL(s:W | e) > UL(s':' |e’) 


Fig. 6. Multi-language: lump and boundaries 
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static compatibility S For oO Se 


Sry di = lci E Fou o2 & loa 
X FeS Ie] X Fur o1 +02 ~ !(01 Poe) 
Z Fio lg Sky o’ ~ lo" E Fua Slo SiGe oe le 
XFuo> & \(!a —0 1a") Sku e œe E Fu o œ !(Box 1 ø) 


value conversion vev 


v "7! share(s: Y). v 


RRT ar T TE 
v ll share [v inj, v 907! © 2) share(s : W). injiv 

, , / È 
Ce g ag glg G 6 


e 07 !2) share A(x: lo). "CU (e UL’ (x)) A(x: o). UL” (copy e 7 LuU(x))) = 
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Fig. 7. Interoperability: static and dynamic semantics (excerpt) 


Finally, boundaries have reduction rules: a term or configuration inside a 
boundary in reduction position is reduced until it becomes a value, and then 
a lump is added or removed depending on the boundary direction. Note that 
because the v in UL(s:¥ |v) is at a duplicable type ![c], we know by inversion 
that the store is empty. 


3.2 Interoperability: Static Semantics 


If the linear language could not interact with lumped values at all, our multi- 
language programs would be rather boring, as the only way for the linear exten- 
sion to provide a value back to ML would be to have received it from AY and 
pass it back unchanged (as in the lump embedding of Matthews and Findler 
(2009)). To provide a real interaction, we provide a way to extract values out of 
a lump !{o], use it at some linear type o, and put it back in before sending the 
result to AY. 

The correspondence between intuitionistic types o and linear types ø is spec- 
ified by a heterogeneous compatibility relation o ~ o — defined in full in Fig. 7. 
The specification of this relation is that if o ~ ø holds, then the space of values 
of ![o] and o are isomorphic: we can convert back and forth between them. When 
this relation holds, the term-formers lump” and °unlump perform the conversion. 

The term LU (e) turns a e : ø into a lumped type ![c], and we need to unlump 
it with some “unlump for a compatible o ~ o to interact with it on the linear 
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side. It is common to combine both operations and we provide syntactic sugar 
for it: "LU (e). Similarly UL” (e) first lumps a linear term then sends the result 
to the ML world. 


3.3 Interoperability: Dynamic Semantics 


When the relation o ~ ø holds, we can define a relation v +7 v between the 
values of ø and the values of g — see the long version of this work. It is func- 
tional in both direction: with our definition v is uniquely determined from v and 
conversely. We then define the reduction rule for (un)lumping: if v 7 v, then 


(Ø | “unlump (share [v])) 5 (0 | v) (0 | lump” v) 5 (@ | share [v]) 


3.4 Full Abstraction from AY into AVL 


We can now state the major meta-theoretical result of this work, which is the 
proposed multi-language design extends the simple language AY in a way that 
provably has, in a certain sense, “no abstraction leaks”. 


Definition 1 (Contextual equivalence in àY). We say that e,e! such that 
T Fy e,e’: o are contextually equivalent, written e ~C e', if, for any expression 
context C|[O] such that - Fy Cle] : 1, the closed terms Cle] and Cle’] are equi- 
terminating. 


Definition 2 (Contextual equivalence in \¥'). We say that e,e’ such that 
T Fiv ee’: o are contextually equivalent, written e ~¢ e', if, for any expres- 
sion context C|O] such that - Fiu Cle] : 1, the closed terms Cle] and Cle’] are 
equi-terminating. 


Theorem 2 (Full Abstraction). The embedding of AY into XY is fully- 
abstract: 


ts ta 1 
Then e:a => FRueRiy © i 


4 Conclusion and Related Work 


Having a stack of usable, interoperable languages, extensions or dialects is at the 
forefront of the Racket approach to programming environments, in particular for 
teaching (Felleisen et al. 2004). 

Our multi-language semantics builds on the seminal work by Matthews 
and Findler (2009), who gave a formal semantics of interoperability between 
a dynamically and a statically typed language. Others have followed the 
Matthews-Findler approach of designing multi-language systems with fine- 
grained boundaries—for instance, formalizing interoperability between a simply 
and dependently typed language (Osera et al. 2012); between a functional and 
typed assembly language (Patterson et al. 2017); between an ML-like and an 
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affinely typed language, where linearity is enforced at runtime on the ML side 
using stateful contracts (Tov and Pucella 2010); and between the source and 
target languages of compilation to specify compiler correctness (Perconti and 
Ahmed 2014). However, all these papers address only the question of soundness 
of the multi-language; we propose a formal treatment of usability and absence 
of abstraction leaks. 

The only work to establish that a language embeds into a multi-language 
in a fully abstract way is the work on fully abstract compilation by Ahmed 
and Blume (2011) and New et al. (2016) who show that their compiler’s source 
language embeds into their source-target multi-language in a fully abstract way. 
But the focus of this work was on fully abstract compilation, not on usability of 
user-facing languages. 

The Eco project (Barrett et al. 2016) is studying multi-language systems 
where user-exposed languages are combined in a very fine-grained way; it is 
closely related in that it studies the user experience in a multi-language sys- 
tem. The choice of an existing dynamic language creates delicate interoperability 
issues (conflicting variable scoping rules, etc.) as well as performance challenges. 
We propose a different approach, to design new multi-languages from scratch 
with interoperability in mind to avoid legacy obstacles. 

We are not aware of existing systems exploiting the simple idea of using 
promotion to capture uniquely-owned state and dereliction to copy it—common 
formulations would rather perform copies on the contraction rule. 

The general idea that linear types can permit reuse of unused allocated cells 
is not new. In Wadler (1990), a system is proposed with both linear and non- 
linear types to attack precisely this problem. It is however more distant from 
standard linear logic and somewhat ad-hoc; for example, there is no way to 
permanently turn a uniquely-owned value into a shared value, it provides instead 
a local borrowing construction that comes with ad-hoc restrictions necessary for 
safety. (The inability to give up unique ownership, which is essential in our list- 
programming examples, seems to also be missing from Rust, where one would 
need to perform a costly operation of traversing the graph of the value to turn 
all pointers into Arc nodes.) 

The RAML project (Hoffmann et al. 2012) also combines linear logic and 
memory reuse: its destructive match operator will implicitly reuse consumed 
cells in new allocations occurring within the match body. Multi-languages give 
us the option to explore more explicit, flexible representations of those low-level 
concern, without imposing the complexity to all programmers. 

A recent related work is the Cogent language (O’Connor et al. 2016), in 
which linear state is also viewed as both functional and imperative — the latter 
view enabling memory reuse. The language design is interestingly reversed: in 
Cogent, the linear layer is the simple language that everyone uses, and the non- 
linear language is a complex but powerful language that is used when one really 
has to, named C. 


160 G. Scherer et al. 


Our linear language A! is sensibly simpler, and in several ways less expressive, 
than advanced programming languages based on linear logic (Tov and Pucella 
2011), separation logic (Balabonski et al. 2016), fine-grained permissions (Garcia 
et al. 2014): it is not designed to stand on its own, but to serve as a useful side- 
kick to a functional language, allowing safer resource handling. 

One major simplification of our design compared to more advanced linear or 
separation-logic-based languages is that we do not separate physical locations 
from the logical capability/permission to access them (e.g., as in Ahmed et al. 
(2007)). This restricts expressiveness in well-understood ways (Fahndrich and 
DeLine 2002): shared values cannot point to linear values. 

Alms (Tov and Pucella 2011), Quill (Morris 2016) and Linear Haskell 
(Bernardy et al. 2018) add linear types to a functional language, trying hard 
not to lose desirable usability property, such as type inference or the generic- 
ity of polymorphic higher-order functions. This is very challenging; for exam- 
ple, Linear Haskell gives up on principality of inference*. Our multi-language 
design side-steps this issue as the general-purpose language remains unchanged. 
Language boundaries are more rigid than an ideal no-compromise language, as 
they force users to preserve the distinction between the general-purpose and the 
advanced features; it is precisely this compromise that gives a design of reduced 
complexity. 

Finally, on the side of the semantics, our system is related to LNL (Benton 
1994), a calculus for linear logic that, in a sense, is itself built as a multi-language 
system where (non-duplicable) linear types and (duplicable) intuitionistic types 
interact through a boundary. It is not surprising that our design contains an 
instance of this adjunction: for any o there is a unique o such that o ~ !c, and 
converting a g value to this o and back gives a !o and is provably equivalent, by 
boundary cancellation, to just using share. 
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Abstract. We present an automata-theoretic framework for the model 
checking of true concurrency properties. These are specified in a fix- 
point logic, corresponding to history-preserving bisimilarity, capable of 
describing events in computations and their dependencies. The models 
of the logic are event structures or any formalism which can be given a 
causal semantics, like Petri nets. Given a formula and an event struc- 
ture satisfying suitable regularity conditions we show how to construct 
a parity tree automaton whose language is non-empty if and only if the 
event structure satisfies the formula. The automaton, due to the nature 
of event structure models, is usually infinite. We discuss how it can be 
quotiented to an equivalent finite automaton, where emptiness can be 
checked effectively. In order to show the applicability of the approach, 
we discuss how it instantiates to finite safe Petri nets. As a proof of 
concept we provide a model checking tool implementing the technique. 


1 Introduction 


Behavioural logics with the corresponding verification techniques are a corner- 
stone of automated verification. For concurrent and distributed systems, so called 
true concurrent models can be an appropriate choice, since they describe not only 
the possible steps in the evolution of the system but also their causal dependen- 
cies. A widely used foundational model in this class is given by Winskel’s event 
structures [1]. They describe the behaviour of a system in terms of events in 
computations and two dependency relations: a partial order modelling causality 
and an additional relation modelling conflict. A survey on the use of such causal 
models can be found in [2]. Recently they have been used in the study of con- 
currency in weak memory models [3,4], for process mining and differencing [5], 
in the study of atomicity [6] and of information flow [7] properties. 

Operational models can be abstracted by considering true concurrent equiv- 
alences that range from hereditary history preserving bisimilarity to the coarser 
pomset and step equivalences (see, e.g., [8]) and behavioural logics expressing 
causal properties (see, e.g., [9-14] for a necessarily partial list and [15-19] for 
some related verification techniques). 

Event-based logics have been recently introduced [20,21], capable of uni- 
formly characterising the equivalences in the true concurrent spectrum. Their for- 
mulae include variables which are bound to events in computations and describe 
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their dependencies. While the relation between operational models, behavioural 
equivalences and event-based true concurrent logics is well understood, the cor- 
responding model checking problem has received limited attention. 

We focus on the logic referred to as Lap in [20], corresponding to a classical 
equivalence in the spectrum, i.e., history preserving (hp-)bisimilarity [22-24]. 

Decidability of model checking is not obvious since event structure models are 
infinite even for finite state systems and the possibility of expressing properties 
that depends on the past often leads to undecidability [25]. In a recent paper [26] 
we proved the decidability of the problem for the alternation free fragment of 
the logic Lap over a class of event structures satisfying a suitable regularity 
condition [27] referred to as strong regularity. The proof relies on a tableau- 
based model checking procedure. Despite the infiniteness of the model, a suitable 
stop condition can be identified, ensuring that a successful finite tableau can be 
generated if and only if the formula is satisfied by the model. 

Besides the limitation to the alternation free fragment of Lap, a shortcoming 
of the approach is that a direct implementation of the procedure can be extremely 
inefficient. Roughly speaking, the problem is that in the search of a successful 
tableau, branches which are, in some sense, equivalent are explored several times. 

In this paper we devise an automata-theoretic technique, in the style of [28], 
for model checking Lap that works for the full logic, without constraints on the 
alternation depth. Besides providing an alternative approach for model-checking 
Lhp, amenable of a more efficient implementation, this generalises the decidabil- 
ity result of [26] to the full logic Lap. Given a formula in Lap and a strongly 
regular event structure, the procedure generates a parity tree automaton. Sat- 
isfiability is reduced to emptiness in the sense that the event structure satisfies 
the formula if and only if the automaton accepts a non-empty language. 

The result is not directly usable for practical purposes since the automaton 
is infinite for any non-trivial event structure. However an equivalence on states 
can be defined such that the quotiented automaton accepts the same language 
as the original one. Whenever such equivalence is of finite index the quotiented 
automaton is finite, so that satisfaction of the formula can be checked effectively 
on the quotient. We show that for all strongly regular event structures a canonical 
equivalence always exists that is of finite index. 

The procedure is developed abstractly on event structures. A concrete algo- 
rithm on some formalism requires the effectiveness of the chosen equivalence on 
states. We develop a concrete instantiation of the algorithm on finite safe Petri 
nets. It is implemented in a tool, wishfully called True concurrency workbench 
(TCWB), written in Haskell. Roughly, the search of an accepting run in the 
automaton can be seen as an optimisation of the procedure for building a suc- 
cessful tableau in [26] where the graph structure underlying the automaton helps 
in the reuse of the information discovered. Some tests reveal that the TCWB is 
way more efficient than the direct implementation of the tableau-based proce- 
dure (which could not manage most of the examples in the TCWB repository). 

The rest of the paper is structured as follows. In Sect.2 we review event 
structures, strong regularity and the logic Lap of interest in the paper. In Sect. 3 
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we introduce (infinite state) parity tree automata and we show how the model 
checking problem for Lap on strongly regular PES can be reduced to the non- 
emptiness of the language of such automata. In Sect.4 we discuss the instanti- 
ation of the approach to Petri nets. Finally, in Sect.5 we discuss some related 
work and outline directions of future research. Due to space limitations, proofs 
are only sketched. 


2 Event Structures and True Concurrent Logic 
We introduce prime event structures [1] and the subclass of strongly regular 


event structures on which our model checking approach will be developed. Then 
we present the logic for true concurrency of interest in the paper. 


2.1 Prime Event Structures and Regularity 


Throughout the paper E is a fixed countable set of events, A a finite set of labels 
ranged over by a,b,c... and A: E — A a labelling function. 


Definition 1 (prime event structure). A (A-labelled) prime event structure 
(PES) is a tuple E = (E,<,#), where E C E is the set of events and <, # 
are binary relations on E, called causality and conflict respectively, such that: 
1. < is a partial order and fe] = {e' € E | e' < e} is finite for alle € E; 
2. # is irreflexive, symmetric and inherited along <, i.e., for all e,e',e” € E, if 
ete’ < e” then e#e”. 

The PES E = (E1, <1, #1), E2 = (E2, <2, #2) are isomorphic, written E1 ~ 
E2, when there is a bijection ı : Ey —> Ez such that for all e1,e, € E, it holds 
e1 <1 e} iff e(e1) <2 (e1) and e1 #1 e1 iff (e1) #2 (e1) and X(e1) = A(e(e1)). 


In the following, we will assume that the components of a PES € are named 
as in the definition above, possibly with subscripts. The concept of concurrent 
computation for PESs is captured by the notion of configuration. 


Definition 2 (configuration). A configuration of a PES E is a finite set of 
events C C E consistent (i.e., a(e#e’) for all e,e’ € C) and causally closed 
(i.e., [e] CC for alle € C). We denote by C(E) the set of configurations of E. 


The evolution of a PES can be represented by a transition system over con- 
figurations, with the empty configuration as initial state. 


Definition 3 (transition system). Let E be a PES and let C € C(E). Given 
e € EXC such that CU {e} € C(E), and X,Y CC with X C fe], YN[e] =9 
we write C Š= ace) CU {e}. The set of enabled events at a configuration C 
is defined as en(C) = {e € E | C & C'}. The PEs is called k-bounded for some 
k EN (or simply bounded) if |en(C)| < k for all C € C(E). 
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Fig. 1. (a) A PES Ey associated with the net M in (b) via its unfolding (c). 


Transitions are labelled by the executed event e. In addition, they report its label 
A(e), a subset of causes X and a set of events Y C C concurrent with e. When 


X or Y are empty they are normally often, i.e., e.g., we write C ASE le Cc’ 


for C ŽSS xe) Cl and C Ssy¢y C' for C SS. C". 
The PES modelling a non-trivial system is normally infinite. We will work on 
a subclass identified by finitarity requirements on the possible substructures. 


Definition 4 (residual). Let E be a PES. For a configuration C € C(E), the 
residual of E after C, is defined as E[C] = {e |e € EXC A CU{e} consistent}. 


The residual of € can be seen as a PES, endowed with the restriction of causality 
and conflict of €. Intuitively, it represents the PES that remains to be executed 
after the computation expressed by C. Given C € C(E) and X C C, we denote 
by E[C] U X the PES obtained from E[C] by adding the events in X with the 
causal dependencies they had in the original PES £. 


Definition 5 (strong regularity). A PES E is called strongly regular when 
it is bounded and for each k E€ N the set {E[C] U {e1,...,en} | C E€ C(E) A 
€1,---,€k E C} is finite up to isomorphism of PESs. 


Strong regularity [26] is obtained from the notion of regularity in [27], by 
replacing residuals with residuals extended with a bounded number of events 
from the past. Intuitively, this is important since we are interested in history 
dependent properties. We will later show in Sect.4 that the PESs associated 
with finite safe Petri nets, i.e., the regular trace PESs [27], are strongly regular. 

A simple PES is depicted in Fig. la. Graphically, curly lines represent imme- 
diate conflicts and the causal partial order proceeds upwards along the straight 
lines. Events are denoted by their labels, possibly with superscripts. For instance, 
in Ey, the events a? and b?, labelled by a and b, respectively, are in conflict. 
Event c° causes the events a’ and it is concurrent with bê for all i € N. It is 
an infinite PES associated with the Petri net M in Fig.1b in a way that will 
be discussed in Sect.4.1, hence it is strongly regular by Corollary 1. It has 
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five (equivalence classes of) residuals extended with an event from the past 
En [{b°}]U {b?}, Enc’, b?}]U{b°}, Ewl{e?, a? HU {2}, EnH’, a} U {a°}, and 
En[{c?, b°, at }] U {b°}. 


2.2 True Concurrent Logic 


The logic of interest for this paper, originally defined in [20], is a Hennessy- 
Milner style logic that allows one to specify the dependencies (causality and 
concurrency) between events in computation. 

Logic formulae include event variables, from a fixed denumerable set Var, 
denoted by x, y,.... Tuples of variables like x1,..., £n will be denoted by a corre- 
sponding boldface letter x and, abusing the notation, tuples will be often used as 
sets. The logic includes diamond and box modalities. The formula (x,y < az) ~ 
holds in a configuration when an a-labelled event e is enabled which causally 
depends on the events bound to x and is concurrent with those in y. Event e is 
executed and then the formula y must hold, with e bound to variable z. Dually, 
[x,y < az] y is satisfied when all a-labelled events causally dependent on x and 
concurrent with y bring to a configuration where ọ holds. 

For dealing with fixpoint operators we fix a denumerable set X° of abstract 
propositions, ranged over by X, Y,.... Each abstract proposition X has an arity 
ar(X) and it represents a formula with ar(X) (unnamed) free event variables. 
Then, for x such that |x| = ar(X), we write X(x) to indicate the abstract 
proposition X whose free event variables are named x. 


Definition 6 (syntax). The syntax of Lap over the sets of event variables Var, 
abstract propositions X° and labels A is defined as follows: 


yp u= X(x)| T | GAG | (x, ¥<az)y | vX(x).~ 
| F| pve | y¥<az]y | uX(x).~ 


For a formula y we denote by fu(y) its free event variables, defined in the 
obvious way. Just note that the modalities act as binders for the variable rep- 
resenting the event executed, hence fu((x,y <az)y) = fu([x,y <az]y) = 
(foly) \ {z}) Ux Uy. For formulae vX(x).p and uX(x).p we require that 
fu(y) = x. The free propositions in y not bound by u or v, are denoted by 
fo(y). When both fu(y) and fp(y) are empty we say that y is closed. When x 
or y are empty are omitted, e.g., we write (az) y for (0,0 <az)y. 

For example, the formula yı = (ca)((a < ay)T A |T < bz)/)T) requires 
that, after the execution of a c-labelled event, one can choose between a causally 
dependent a-labelled event and a concurrent b-labelled event. It is satisfied by 
En in Fig. la. Instead yg = (ca)((% < ay)T A (Z < bz)T) requiring both 
events to be concurrent would be false. Moving to infinite computations, consider 
p3 = [ba]vZ(x).(cz)(zZ < by)TA [a < by] Z(y), expressing that all non-empty 
causal chains of b-labelled events reach a state where it is possible to execute two 
concurrent events labelled c and b, respectively. Then y3 holds in Ey. Another 
formula satisfied by Ey is pa = (ca)(z < by)vX(a,y).y,% < bz)X(a, z) 
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requiring the existence of an infinite causal chain of b-labelled events, concurrent 
with a c-labelled event. 

The logic Lp, is interpreted over PESs. The satisfaction of a formula is defined 
with respect to a configuration C and a (total) function 7 : Var — E, called 
an environment, that binds free variables in y to events in C. Namely, if Enve 
denotes the set of environments, the semantics of a formula will be a set of pairs 
in C(E) x Enve. The semantics of Lap also depends on a proposition environment 
m: X — 20(€)*Enve which provides an interpretation for propositions. In order to 
ensure that the semantics of a formula only depends on the events associated with 
its free variables and is independent on the naming of the variables, it is required 
that if (C,7) € a(X(x)) and 7/(y) = n(x) pointwise, then (C, n) € m(X(y)). 
We denote by PEnve the set of proposition environments, ranged over by m. 

We can now give the semantics of logic Lap. Given an event environment 7 
and an event e we write [x +> e] for the updated environment which maps x 
to e. Similarly, for a proposition environment 7 and S C C(E) x Enve, we write 
m(Z(x) ++ S] for the corresponding update. 


Definition 7 (semantics). Let E be a PES. The denotation of a formula p 
in Lap is given by the function {}E : Lap > PEnve — 2°)*#nve defined 
inductively as follows, where we write {\p]}© instead of {\p|}© (7): 
{The =C(E) x Enve (Fi; =9  {Z(y)h =7(Z(y)) 
{oA vabs = debs 9 flees {yr V gobs = debs U fleebs 
Mx, < az) obs = {(C,n) | 3e. C IEIS, C A (C1 nla el) € 1003} 
di7 < ael ohi = {(0,n) | Ye. C "PASS, of => (C',nfe = el) € de} 
TZE = ofP(fo,2@,n) TZE = Ye (Fo.200,n) 
where fo.z(x),n : QclE)xEnve _, 9QC(E)xEnve is defined by fez S) = 
{eb izos] and gfp(fo,z(x),) (resp. Ifp(fo,z(x),x)) denotes the correspond- 


ing greatest (resp. least) fixpoint. We say that a PES E satisfies a formula p and 
write E = if (0,n) € {phe for all environments n and r. 


The semantics of boolean operators is standard. The formula (x,y < az) y 
holds in (C,7) when configuration C enables an a-labelled event e that causally 
depends on (at least) the events bound to the variables in x and concurrent with 
(at least) those bound to the variables in y and, once executed, it produces a new 
configuration C” = C U {e} which, paired with the environment n = n[z + el, 
satisfies the formula y. Dually, [x,y < az] y holds when all a-labelled events 
executable from C, caused by x and concurrent with y bring to a configuration 
where y is satisfied. 

The fixpoints corresponding to the formulae vZ(x).y and uZ(x).y are guar- 
anteed to exist by Knaster-Tarski theorem, since the set 2°()* "ve ordered by 
subset inclusion is a complete lattice and the functions f,7(x),, are monotonic. 


Automata for True Concurrency Properties 171 


3 Automata-Based Model Checker 


We introduce nondeterministic parity tree automata and we show how the model 
checking problem for Lap on strongly regular PESs can be reduced to the non- 
emptiness of the language of such automata. The automaton naturally generated 
from a PES and a formula has an infinite number of states. We discuss how the 
automaton can be quotiented to a finite one accepting the same language and 
thus potentially useful for model checking purposes. 


3.1 Infinite Parity Tree Automata 


Automata on infinite trees revealed to be a powerful tool to various problems in 
the setting of branching temporal logics. Here we focus on nondeterministic par- 
ity tree automata [29], with some (slightly) non-standard features. We work on 
k-trees (rather than on binary trees), a choice that will simplify the presentation, 
and we allow for possibly infinite state automata. 

When automata are used for model checking purposes it is standard to 
restrict to unlabelled trees. A k-bounded branching tree or k-tree, for short, is a 
subset 7 C [1,k]*, such that 


1. T is prefix closed, i.e., if wv E€ T then w € T 
2. wl ET for allw eT 
3. for all i € [2, k] if wi € T then w(i—1) ET. 


Elements of J are the nodes of the tree. The empty string € corresponds to 
the root. A string of the form wi corresponds to the i-th child of w. Hence by 
(2) each branch is infinite and by (3) the presence of the i-th child implies the 
presence of the j-th children for j < i. 


Definition 8 (nondeterministic parity automaton). A k-bounded nonde- 
terministic parity tree automaton (NPA) is a tuple A = (Q,—,q0,F) where Q 


k 
is a set of states, >C Q x | QF is the transition relation, go € Q is the initial 
i=1 
state, and F = (Fo,..., Fh) is the acceptance condition, where Fo,..., Fh CQ 
are mutually disjoint subsets of states. 


Transitions are written as q > (q1, . - -, qm) instead of (q, (q@1,---,@m)) €—- 
Given a k-tree T, a run of Aon T is a labelling of 7 over the states r : T > Q 
consistent with the transition relation, i.e., such that r(e) = qo and for all u € T, 
with m children, there is a transition r(u) — (r(u1),...,r(um)) in A. A path in 
the run r is an infinite sequence of states p = (qo,q1,---) labelling a complete 
path from the root in the tree. It is called accepting if there exists an even 
number J € [0,h] such that the set {j | q; € Fj} is infinite and the set 
{j | a; € Ureicn Fi} is finite. The run r is accepting if all paths are accepting. 
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Definition 9 (language of an NPA). Let A be an NPA. The language of A, 
denoted by L(A), consists of the trees T which admit an accepting run. 


Observe that for a k-bounded NPA, the language L(A) is a set of k-trees. 

The possibility of having an infinite number of states and the associated 
acceptance condition are somehow non-standard. However, it is easy to see that 
whenever an NPA is finite, the acceptance condition coincides with the standard 
one requiring a single state with maximal even priority to occur infinitely often. 

Since NPAs are nondeterministic, different runs (possibly infinitely many) 
can exist for the same input tree. Still, the non-emptiness problem, also for our 
k-ary variant, is decidable when the number of states is finite (and solvable by 
a corresponding parity game [30]). 


3.2 Infinite NPAs for Model Checking 


We show how, given a PES and a closed formula in Lap, we can build an NPA in 
a way that, for strongly regular PESs, the satisfaction of y in E reduces to the 
non-emptiness of the automaton language. The construction is inspired by that 
in [28] for the mu-calculus. 

The acceptance condition for the automaton will refer to the fixpoint alterna- 
tion in the formulae of Lap. We adapt a definition from [28]. A fixpoint formula 
aX(y).y’, for a € {v, u}, is called an a-formula. Hereafter a ranges over {v, u}. 
Given an a-formula y = aX(y).y’, we say that a subformula w of ọ is a direct 
active subformula, written Y Ea y, if the abstract proposition X appears free in 
w. The transitive closure of Eq is a partial order and when Y C% p we say that 
w is an active subformula of p. We denote by sf (p) the set of subformulae of a 
formula y and by sf,(y) the set of active a-subformulae. 

The alternation depth of a formula y in Lap, written ad(y), is defined, for 
a v-formula y, as ad(y) = max{1 + ad(w) | Y% € sf,,(y)} and dually, for a 
p-formula y, as ad(y) = max{1+ ad(w) | Y € sfp (y)}. For any other formula y, 
ad(y) = mar{ad(w) | y € sf(y) \ {y}}. It is intended that max = 0. E.g., by 
the first clause above, the alternation depth of vX (x). y is 0 in absence of active 
p-subformulae. 

Hereafter we assume that in every formula different bound propositions have 
different names, so that we can refer to the fixpoint subformula quantifying an 
abstract proposition. This requirement can always be fulfilled by alpha-renaming. 

Hereafter, if X and X’ are abstract propositions quantified in a-subformulae 
aX(x).y and a’ X'(x’). y’, we will write ad(X) for ad(aX(x).y) and X Ea X’ 
for aX(x).p Ea a’ X'(x’).y’. Moreover, given a PES E, for a pair (C,7) € 
C(E) x Enve and variables x, y, z, we define (x,y < az)-successors of (C, n), as 


Succ™7 <? (C, n) = {(C’, nlz ey el) | C n(x), n(y) <e a C'}. 
We can now illustrate the construction of the NPA for a formula and a PES. 


Definition 10 (NPA for a formula). Let E be a bounded PES and let p € Lap 
be a closed formula. The NPA for E and ọ is Aep = (Q, —>, qo, F) defined 
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as follows. The set of states Q C C(E) x Enve x sf(y) is Q = {(C,n, Vv) | 
n(fu(a)) E C}. The initial state qo = (0,n, p), for some chosen n € Enve. The 
transition relation is defined, for any state q = (C,n,w) E€ Q, by: 


- ifw=T ory =F, then q > (q); 

- if p = pı AY, then q > (q1,q2) where qi = (C,n, Yi), i € {1,2}; 

- if Y = Yı V yo, then q > (qı) and q — (q2) where qi = (C, n, Wi), i € {1,2}; 

- if y = [xy < az]w’ and Succ**<**(C,n) = {(Ci,m),-.--,(Cn,tm)} £ 9 
then q > (q1, ---,qn) where qi = (Ci mi, Y’) for i € [1,n], otherwise q — (q); 

- if b = (x,y < az)w’ and Succ®¥<**(C,n) = {(Ci,m),---,(Cnstm)} FO 
then q —> (qi) where qi = (Ci, ni, Y’) fori € [1,n], otherwise q > (q); 

- ifp = aX(x). y then q > (q') where q = (C,n, X(x)); 

- if y = X(y) and w’ € sf(p) is the unique subformula such that Yy = 
aX(x).~" then q > (q') where q' = (C, nix = nly), 4”). 


The acceptance condition is F = (Fo,..., Fp) where h = ad(y) + 1 and the 
F; are as follows. Consider Ao,..., An C sf(p) such that for i € [0,h], ifi is 
even (odd) then A; contains exactly all propositions quantified in v-subformulae 
(u-subformulae) with alternation depth i or i—1. Then Fo = (C(E) x Enve x 
(Ap U{T})) UB where B = {(C,n,[x,¥ < azl) | Succ*¥<**(C,n) = Ø} is 
the set of all subformulae of p in a context where they are trivially true, and 
F; =C(E) x Enve x Aj, fori € [1, hl]. 


States of Ag, are triples (C,7, p) consisting of a configuration C, an envi- 
ronment 7 and a subformula w of the original formula y. The intuition is that a 
transition reduces the satisfaction of a formula in a state to that of subformulae 
in possibly updated states. It can just decompose the formula, as it happens 
for A or V, check the satisfaction of a modal operator, thus changing the state 
consequently, or unfold a fixpoint. 

The automaton Ag, is bounded but normally infinite (whenever the PES E£ 
is infinite and the formula ọ includes some non-trivial fixpoint). 

We next show that for a strongly regular PES the satisfaction of the formula 
y on the PES E reduces to the non-emptiness of the language of Agọ. 


Theorem 1 (model checking via non-emptiness). Let E be a strongly reg- 
ular PES and let @ be a closed formula in Lrp. Then L( Ae.) £9 iff E H ©. 


We next provide an outline of the proof. A basic ingredient is an equivalence 
that can be defined on the NPA. As a first step we introduce a generalised notion 
of residual in which the relation with some selected events in the past is kept. 


Definition 11 (pointed residual). Given a PES E and a set X, a X-pointed 
configuration is a pair (C,¢) where C € C(E) and ¢: X > C is a function. We 
say that the X-pointed configurations (C,¢), (C’,¢’) have isomorphic pointed 
residuals, written E[(C,¢)] ~ E[(C’,¢’)]| if there is an isomorphism of PESs t : 
E[C] — E[C’] such that for alla € X, e € E[C] we have (x) < e iff ¢' (x) < (e). 
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Then two states are deemed equivalent if they involve the same subformula 
(up to renaming of the event variables) and the configurations, pointed by the 
free variables in the formulae, have isomorphic residuals. This resembles the 
notion of contextualised equivalence used on tableau judgments in [26]. 


Definition 12 (future equivalence). Let E be a PES, y be a formula and 
let qi = (Ci, m, Vi), i E {1,2} be two states of the NPA Ag... We say that qı 
and q2 are future equivalent, written qı ~f q2, if there exists a formula Y and 
substitutions o;i : fu(w) > foli) such that wo; = Yi, for i € {1,2}, and the 
fu(w)-pointed configurations (Ci, ni o oi) have isomorphic pointed residuals. 


It can be shown that, given q; = (Ci, m, Yi), i € {1,2} as above, for all 
proposition environments m (satisfying a technical property of saturation) we 
have that (C1, m) € {wi [€ if and only if (C2, 72) € {Y2}E. Additionally, using 
strong regularity, one can prove that the semantics of fixpoint formulae is prop- 
erly captured by finite approximants and that equivalence ~p is of finite index. 
These are fundamental building bricks in the proof of Theorem 1 which, roughly, 
proceeds as follows. 

Assume that the language L( Aep) 4 0. Then there is an accepting run r over 
some k-tree T. Since ¢ is finite, in each infinite path there are infinitely many 
states qin = (Cin, Nin, Vin) where Yi, is the same subformula, up to renaming. 
Since yf is of finite index, infinitely many such states are equivalent. Then 
one deduces that, for some h, the subformula y;, is satisfied in (C;,,7;,). For 
fixpoint subformulae, this requires to show that, since the run is accepting, the 
subformula of maximal alternation depth that repeats infinitely often is a v- 
formula and use the fact that, as mentioned before, its semantics can be finitely 
approximated. Then, by a form of backward soundness of the transitions, we get 
that all the nodes, including the root, contain formulae which are satisfied. 

For the converse implication, assume that E€ = y. Starting from the initial 
state qo = (0,7,y) where the formula is satisfied, and using the automaton 
transitions, we can build a k-tree 7 and a run where for each state (C’, n’, Y) the 
subformula w is satisfied in (C’, 7’) and such run can be proved to be accepting. 


3.3 Quotienting the Automaton 


In order to have an effective procedure for checking the satisfaction of a formula 
we need to build a suitable quotient of the NPA, with respect to an equivalence 
which preserves emptiness. A simple but important observation is that it is 
sufficient to require that the equivalence is a bisimulation in the following sense. 
An analogous notion is studied in [31] in the setting of nondeterministic tree 
automata over finite trees. 


Definition 13 (bisimulation). Given an NPA A, a symmetric relation R C 
Q x Q over the set of states is a bisimulation if for all (q,q')ER 

1. for alli € [0, h], q E€ Fi — qd EF;; 

2. ifq—> (q1,--.,qm) then d > (qi, -- -n ) with (qi, q) € R for i € [1, m]. 
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Given an NPA A and an equivalence = on the set of states which is a 
bisimulation, we define the quotient as A, = (Q;=, >;=, lqo]=, F,=} where 
[d= =([m]=, i [dm] =) if q = (qı, Eea im) and Fiz = (Fo p=; KEE Pha): An 
NPA and its quotient accept exactly the same language. 


Theorem 2 (language preservation). Let A be an NPA and let = be an 
equivalence on the set of states which is a bisimulation. Then L(A;=) = L(A). 


When = is of finite index, the quotient Aeg bs is finite and, exploiting 
Theorems 1 and 2, we can verify whether E€ = ọ by checking the emptiness 
of the language accepted by A¢g,,,_. Clearly a concrete algorithm will not first 
generate the infinite state NPA and then take the quotient, but it rather per- 
forms the quotient on the fly: whenever a new state would be equivalent to one 
already generated, the transition loops back to the existing state. 

Whenever € is strongly regular, the future equivalence on states (see 
Definition 12) provides a bisimulation equivalence of finite index over Ae p. 


Lemma 1 (~ş is a bisimulation). Let E be a strongly regular PES and let 
yp be a closed formula in Lap. Then the future equivalence sf on Aey is a 
bisimulation and it is of finite index. 


An obstacle towards the use of the quotiented NPA for model checking pur- 
poses is the fact that the future equivalence could be hard to compute (or even 
undecidable). In order to make the construction effective we need a decidable 
bisimulation equivalence on the NPA and the effectiveness of the set of successors 
of a state. This is further discussed in the next section. 


4 Model Checking Petri Nets 


We show how the model checking approach outlined before can be instantiated 
on finite safe Petri nets, a classical model of concurrency and distribution [32], 
by identifying a suitable effective bisimulation equivalence on the NPA. 


4.1 Petri Nets and Their Event Structure Semantics 


A Petri net is a tuple N = (P,T, F, Mo) where P, T are disjoint sets of places 
and transitions, respectively, F : (P x T)U(T x P) — {0,1} is the flow function, 
and Mp is the initial marking, i.e., the initial state of the net. We assume that 
the set of transitions is a subset of a fixed set T with a labelling Aw : T > A. 
A marking of N is a function M : P — N, indicating for each place the 
number of tokens in the place. A transition t € T is enabled at a marking M 
if M(p) > F(p,t) for all p € P. In this case it can be fired leading to a new 
marking M’ defined by M’(p) = M(p) + F(t,p) — F(p,t) for all places p € P. 
This is written M[t} M’. We denote by R(V) the set of markings reachable in M 
via a sequence of firings starting from the initial marking. We say that a marking 
M is coverable if there exists M’ € R(N) such that M < M’, pointwise. A net 
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N is safe if for every reachable marking M € R(N) and all p € P we have 
M(p) < 1. Hereafter we will consider only safe nets. Hence markings will be 
often confused with the corresponding subset of places {p | M(p) = 1} C P. For 
x € PUT the pre-set and post-set are defined °x = {y € PUT | F(y,x) = 1} 
and x° = {y € PUT | F(x,y) = 1} respectively. 

An example of Petri net can be found in Fig. 1b. Graphically places and tran- 
sitions are drawn as circles and rectangles, respectively, while the flow function is 
rendered by means of directed arcs connecting places and transitions. Markings 
are represented by inserting tokens (black dots) in the corresponding places. 

The concurrent behaviour of a Petri net can be represented by its unfolding 
U(N), an acyclic net constructed inductively starting from the initial marking 
of N and then adding, at each step, an occurrence of each enabled transition. 


Definition 14 (unfolding). Let N = (P,T,F,mo) be a safe net. Define the 
net UO = (PO, TO, FO) as TO =O, PO = {(p, L) | p € mo} and FO = 9, 
where L is an element not belonging to P, T or F. The unfolding is the least 
net UN) = (P), T), F)) containing U and such that 


- ift € T, the set of places X C P™) is coverable and 1(X) = °t, then 
e=(t,X)eT); 

— for any e = (t,X) € T™), the set Z = {(p,e) | p € m(e)*} C P™) where 
mılu, v) = u; moreover °e = X and e = Z. 


Places and transitions in the unfolding represent tokens and firing of transi- 
tions, respectively, of the original net. The projection 7, over the first component 
maps places and transitions of the unfolding to the corresponding items of the 
original net M. The initial marking is implicitly identified as the set of minimal 
places. For historical reasons transitions and places in the unfolding are also 
called events and conditions, respectively. 

One can define causality <j over the unfolding as the transitive closure of 
the flow relation. Conflict is the relation e#e’ if °eN *e’ # Ú, inherited along 
causality. The events T) of the unfolding of a finite safe net, endowed with 
causality and conflict, form a PES, denoted E(N). The transitions of a configura- 
tion C € C(E(N)) can be fired in any order compatible with causality, producing 
a marking C° = (P U Uco t°) \ (Urco °t) in UW); in turn, this corresponds 
to a reachable marking of M given by M(C) = 7(C°). As an example, the 
unfolding U(N) of the running example net M and the corresponding PES can 
be found in Figs. 1c and a. 


4.2 Automata Model Checking for Petri Nets 


The PES associated with a safe Petri net is known to be regular [27]. We next 
prove that it is also strongly regular and thus we can apply the theory developed 
so far for model checking Lap over safe Petri nets. 

Let N = (S,T,F, Mo) be a safe Petri net. A basic observation is that the 
residual of the PES E(N) with respect to a configuration C € C(E(N)) is uniquely 
determined by the marking produced by C. This correspondence can be extended 
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to pointed configurations by considering markings which additionally record, for 
the events of interest in the past, the places in the marking which are caused by 
such events. This motivates the definition below. 


Definition 15 (pointed marking). Let N = (S,T, F, Mo) be a safe Petri net. 
Given a set X, a X-pointed marking is a pair (M,r) with r: X > 2™, 


A X-pointed configuration (C, À} induces an X-pointed marking M((C,¢)) = 
(M(C),7r) where r(x) = {71(b) |b € C° A C(x) < b}. Pointed configurations 
producing the same pointed marking have isomorphic pointed residuals. 


Proposition 1 (pointed markings vs residuals). Let MN = (S,T, F, Mo) be a 
safe Petri net. Given a set X and two X-pointed configurations (C1, ¢1), (C2, C2) 
in U(N), if M((C1,G)) = M((C2, G2)) then E(N)[(C1, Ca)] = EW) [(C2, Ca) ]- 


By the previous result the PES associated with a finite safe Petri net is 
strongly regular. Indeed, the number of residuals of X-pointed configurations, 
up to isomorphism, by Proposition 1, is smaller than the number of X-pointed 
markings, which is clearly finite since the net is safe. 


Corollary 1 (strong regularity). Let N be finite safe Petri net. Then the 
corresponding PES E(N) is strongly regular. 


In order to instantiate the model checking framework to finite safe Petri 
nets, the idea is to take an equivalence over the infinite NPA by abstracting the 
(pointed) configurations associated with its states to pointed markings. 


Definition 16 (pointed-marking equivalence on NPA). Let N be a finite 
safe Petri net and let p be a closed formula in Lanp. Two states qi, q2 in the NPA 
AEN), are pointed-marking equivalent, written qı Xm q2, if qi = (Ci, ti, Y), 
i € {1,2}, for some p € sf (p) and M((C1, Mfo) ) = M( (C2, 12} fo(wy))- 


Using Proposition 1 we can immediately prove that ~m refines ~s. Moreover 
we can show that %m is a bisimulation in the sense of Definition 13. 


Proposition 2 (marking equivalence is a bisimulation). Let N be a finite 
safe Petri net and let p be a closed formula in Lnp. The equivalence %m on the 
automaton Aen), is a bisimulation and it is of finite index. 


Relying on Propositions 1 and 2 we provide an explicit construction of the 
quotient automaton Ag, N) Ojan" We introduce a convenient notation for tran- 
sitions between pointed markings. Given the variables x, y, a set X such that 
xUy C X and an X-pointed marking (M, r), we write (M, r) a (M',r’) 
if M[t)M’, An(t) = a, for all x € x we have r(x) N °t Æ @ and for all y € y it 
holds r(y)N °t = @ and r’ is defined by r’(z) = t° and r’(w) = (r(w) NM’) Ufs | 
r(w)N *t#0 A set}, for w £ z. In words, from the pointed marking (M, r) 
transition t is fired and “pointed” by variable z. Transition t is required to con- 
sume tokens caused by x and not to consume tokens caused by y, in order to be 
itself caused by x and independent from y. After the firing, variables which were 
causes of some p € °t become causes of the places in t° and, clearly, z causes t°. 


178 P. Baldan and T. Padoan 


Construction 1 (quotient NPA). Let N be a finite safe Petri net and let 
yp E Lhp be a closed formula. The quotient NPA AEN) E jx, is defined as follows. 
The set of states Q = {(M,r, Yp) | M ER(N) A r: fop) 32” A weEsf(y)}. 
The initial state qo = (Mo, 0, p). The transition relation is defined, for any state 
q=(M,r,%) E€ Q, by: 


- ify =T ory =F, then q > (q) 

- if y = pı Ay, then q > (q1,q2) where qi = (M, r, Ypi), i € {1,2} 

- if Y = yı V Y2, then q > (qı) and q > (q2) where qi = (M, r, yi), i € {1,2} 

- fv = F < ad, let S = {(Mr{pqyy) | (Mr) Sa (Mr) 
if S = {(M,71),---,(Mn,rn)} Æ O then q —> (M,---,Q) where qi = 
(Mi, ri Y) fori € [1,n], otherwise q > (q); 

b= (xF < azh’, let S = {(M' rpc) | (Mr) Sue (M'Y; if 
S = {(M1,r1),---, (Mn,rn)} Æ 0 then q —> (qi) where qi = (Mi, ri, Y’) for 
i€ [1,n], otherwise q > (q); 

- if y =aX(x).y’ then q —> (q') where q = (M,r, X(x)); 

ify = X(y) and Yy' € sf (p) is the subformula such that Y' = aX (x). then 

q —> (q’) where q = (M, r[|x > r(y)],w”). 


The acceptance condition is as in Definition 10. 


4.3 A Prototype Tool 


The algorithm for model checking Petri nets outlined before is implemented 
in the prototype tool TCWB (True Concurrency Workbench) [33], written in 
Haskell. The tool inputs a safe Petri net M and a closed formula y of Lap 
and outputs the truth value of the formula on the initial marking of M. The 
algorithm builds the quotient NPA Agi), T “on demand”, i.e., the states 
of the automaton are generated when they are explored in the search of an 
accepting run. A path is recognised as successful when it includes a loop where 
a Cž-maximal subformula is T, a []-subformula or a v-subformula. In this way 
only the fragment of Ag, NDP jan relevant to decide the satisfaction of ọ is built. 

Given a net M = (P,T, F, Mo) and a formula y, the number of states in the 
quotient automaton Ag, N) p;x, Can be bounded as follows. Recall that a state 
consists of a triple (M, r, yY) where  € sf (p), M is a reachable marking and r : 
foly) — 2™ is a function. This leads to an upper bound O(|sf (p) |: [R(V)|-21P12), 
where v = maz{|fvo(y)| : Y € sf(p)} is the largest number of event variables 
appearing free in a subformula of y. In turn, since [R(M)| < 2!”!, this is bounded 
by O(|sf(y)|-2!P-(°+)). The size of the automaton is thus exponential in the size 
of the net and linear in the size of the formula. Moving from the interleaving 
fragment of the logic (where v = 0) to formulae capable of expressing true 
concurrent properties thus causes an exponential blow up. However, note that 
the worst case scenario requires all transitions to be related by causality and 
concurrency to all places in any possible way, something that should be quite 
unlikely in practice. Indeed, despite the fact that the tool is very preliminary 
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and more tweaks and optimisations could improve its efficiency, for the practical 
tests we performed the execution time seems to be typically well below than the 
theoretical worst case upper bound. 


5 Conclusions 


We introduced an automata-theoretic framework for the model checking of the 
logic for true concurrency Lap, representing the logical counterpart of a classical 
true concurrent equivalence, i.e., history preserving bisimilarity. The approach is 
developed abstractly for strongly regular PESs, that include regular trace PESs. 
A concrete model-checking procedure requires the identification of an effective 
bisimulation equivalence for the construction of the quotient automaton. We 
showed how this can be done for finite safe Petri nets. The technique is imple- 
mented in a proof-of-concept tool. 

We proved that the class of regular trace PESs is included in that of strongly 
regular PESs which in turn is included in the class of regular PESs. The precise 
relation of strongly regular PESs with the other two classes is still unclear and 
interesting in view of [34] that recently showed that regular trace PESs are strictly 
included in regular PESs, disproving Thiagarajan’s conjecture. 

Several other papers deal with model checking for logics on event structures. 
In [35] a technique is proposed for model checking a CTL-style logic with modal- 
ities for immediate causality and conflict on a subclass of PESs. The logic is quite 
different from ours as formulae are satisfied by single events, the idea being that 
an event, with its causes, represents the local state of a component. The pro- 
cedure involves the construction of a finite representation of the PES associated 
with a program which has some conceptual relation with our quotienting phase. 
In [19] the author shows that first order logic and Monadic Trace Logic (MTL), 
a restricted form of monadic second order (MSO) logic are decidable on regular 
trace event structures. The possibility of directly observing conflicts in MTL and 
thus of distinguishing behaviourally equivalent PESs (e.g., the PESs consisting of 
a single or two conflicting copies of an event), and the presence in Lap of propo- 
sitions which are non-monadic with respect to event variables, make these logics 
not immediate to compare. Still, a deeper investigation is definitively worth to 
pursue, especially in view of the fact that, in the propositional case, the mu- 
calculus corresponds to the bisimulation invariant fragment of MSO logic [36]. 

The work summarised in [18] develops a game theoretic approach for model- 
checking a concurrent logic over partial order models. It has been observed in [20] 
that such logic is incomparable to Lap. Preliminary investigations shows that our 
model-checking framework could be adapted to such a logic and, more generally, 
to a logic joining the expressive power of the two. Moreover, further explor- 
ing the potentialities of a game theoretic approach in our setting represents an 
interesting venue of further research. 

Compared to our previous work [26], we extended the range of the technique 
to the full logic Lap, without limitations concerning the alternation depth of 
formulae. Relaxing the restriction to strongly regular PESs, instead, appears to 
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be quite problematic unless one is willing to deal with transfinite runs which, 
however, would be of very limited practical interest. 

The tool is still very preliminary. As suggested by its (wishful) name (inspired 
by the classical Edinburgh Concurrency Workbench [37]) we would like to bring 
the TCWB to a more mature stage, working on optimisations and adding an 
interface that gives access to a richer set of commands. 


Acknowledgements. We are grateful to Perdita Stevens for insightful hints and 
pointers to the literature and to the anonymous reviewers for their comments. 
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Abstract. This paper proposes a definition of what it means for one 
system description language to encode another one, thereby enabling 
an ordering of system description languages with respect to expressive 
power. I compare the proposed definition with other definitions of encod- 
ing and expressiveness found in the literature, and illustrate it on a well- 
known case study: the encoding of the synchronous in the asynchronous 
a-calculus. 


1 Introduction 


This paper, like [16,21], aims at answering the question what it means for one 
language to encode another one, and making the resulting definition applicable 
to order system description languages like CCS, CSP and the a-calculus with 
respect to their expressive power. 

To this end it proposes a unifying concept of valid translation between two 
languages up to a semantic equivalence or preorder. It applies to languages whose 
semantics interprets the operators and recursion constructs as operations on a set 
of values, called a domain. Languages can be partially ordered by their expres- 
siveness up to the chosen equivalence or preorder according to the existence of 
valid translations between them. 

The concept of a [valid] translation between system description languages (or 
process calculi) was first formally defined by Boudol [3]. There, and in most other 
related work in this area, the domain in which a system description language 
is interpreted consists of the closed expressions from the language itself. In [14] 
I have reformulated Boudol’s definition, while dropping the requirement that the 
domain of interpretation is the set of closed terms. This allows (but does not 
enforce) a clear separation of syntax and semantics, in the tradition of universal 
algebra. Nevertheless, the definition employed in [14] only deals with the case 
that all (relevant) elements in the domain are denotable as the interpretations 
of closed terms. In [16] situations are described where such a restriction is unde- 
sirable. In addition, both [3,14] require the semantic equivalence ~ under which 
two languages are compared to be a congruence for both of them. This is too 
severe a restriction to capture many recent encodings [1,2,7,30,31, 33,38, 43]. 
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In [16] I alleviated these two restrictions by proposing two notions of encod- 
ing: correct and valid translations up to ~. Each of them generalises the propos- 
als of [3,14]. The former drops the restriction on denotability as well as ~ being 
a congruence for the whole target language, but it requires ~ to be a congru- 
ence for the source language, as well as for the source’s image within the target. 
The latter drops both congruence requirements (and allows ~ to be a preorder 
rather than an equivalence), but at the expense of requiring denotability by 
closed terms. In situations where ~ is a congruence for the source language’s 
image within the target language and all semantic values are denotable, the two 
notions agree. 

The current paper further generalises the work of [16] by proposing a new 
notion of a valid translation that incorporates the correct and valid translations 
of [16] as special cases. It drops the congruence requirements as well as the 
restriction on denotability. 

As in [16], my aim is to generalise the concept of a valid translation as much as 
possible, so that it is uniformly applicable in many situations, and not just in the 
world of process calculi. Also, it needs to be equally applicable to encodability 
and separation results, the latter saying that an encoding of one language in 
another does not exists. At the same time, I try to derive this concept from a 
unifying principle, rather than collecting a set of criteria that justify a number 
of known encodability and separation results that are intuitively justified. 


Overview of the Paper. Section 2 defines my new concept of a valid translation 
up to a semantic equivalence or preorder e. Roughly, a valid translation of one 
language into another is a mapping from the expressions in the first language to 
those in the second that preserves their meaning, i.e. such that the meaning of a 
translated expression is semantically equivalent to the meaning of the original. 

Section 3 shows that this concept generalises the notion of a correct transla- 
tion from [16]: a translation is correct up to a semantic equivalence ~ iff it is 
valid up to ~ and ~ is a congruence for the source language as well as for the 
image of the source language within the target language. 

Likewise, [18]—the full version of this paper—establishes the coincidence of 
my validity-based notion of expressiveness with the one from [16] when applying 
both to languages for which all semantic values are denotable by closed terms. 

One language is said to be at least as expressive as another up to e iff 
there exists a valid translation up to e of the latter language into the former. 
Section 4 shows that “being at least as expressive as” is a preorder on languages. 
This expressiveness preorder depends on the choice of e, and a coarser choice 
(making less distinctions) yields a richer preorder of expressiveness inclusions. 

Section 6 illustrates the framework on a well-known case study: the encoding 
of the synchronous in the asynchronous z-calculus. 

Section 7 discusses the congruence closure of a semantic equivalence for a 
given language, and remarks that in the presence of operators with infinite arity 
it is not always a congruence. Section 8 states a useful congruence closure prop- 
erty for valid translations: if a translation between two languages exists that is 
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valid up a semantic equivalence ~, then it is even valid up to an equivalence 
that 


— on the source language coincides with the congruence closure of ~ 

— on the image of the source within the target language also coincides with the 
congruence closure of ~ 

— melts each equivalence class of the source with exactly one of the target. 


Section 9 concludes that the framework established thus far is great for com- 
paring the expressiveness of languages, but falls short for the purpose of combin- 
ing language features. This requires a congruence reflection theorem, provided 
in Sect. 12, for languages satisfying postulates formulated in Sects.5, 10 and 11. 

Section 12 defines when a translation is compositional, and shows that any 
valid translation up to e can be modified into a compositional translation valid 
up to e. This requires restricting attention to languages and preorders e that 
satisfy some mild sanity requirements—the postulates of Sects. 10 and 11. Hence, 
for the purpose of comparing the expressive power of languages, valid translations 
between them may be presumed compositional. 

Section 13 compares my approach with the one of Gorla [21], and concludes. 
Omitted proofs and counterexamples (marked by $) can be found in [18]. 


2 Languages, Valid Translations, and Expressiveness 


A language consists of syntax and semantics. The syntax determines the valid 
expressions in the language. The semantics is given by a mapping | | that 
associates with each valid expression its meaning, which can for instance be an 
object, concept or statement. 

Following [16], I represent a language £ as a pair (T£, | ],) of a set Te of 
valid expressions in £ and a mapping | |: Te > Dg from Tg in some set of 
meanings Dr. 


Definition 1 ({16]). A translation from a language £ into a language £’ is a 
mapping 7 : Te > Te. 


In this paper, I consider single-sorted languages £ in which expressions or terms 
are built from variables (taken from a set 4) by means of operators (including 
constants) and possibly recursion constructs. For such languages the meaning 
[E]; of an £-expression E is a function of type (1 + V)— V for a given sets of 
values V. It associates a value [E] -(~) €V to E that depends on the choice of a 
valuation p: XV. The valuation associates a value from V with each variable. 

Since normally the names of variables are irrelevant and the cardinality of 
the set of variables satisfies only the requirement that it is “sufficiently large”, 
no generality is lost by insisting that two (system description) languages whose 
expressiveness is being compared employ the same set of (process) variables. 
On the other hand, two languages L and £’ may be interpreted in different 
domains of values V and V”. 
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Let £L and £’ be languages as considered above, with semantic mappings 


[].:Te-(¥-V)-V) and [| J,:Te > (( => V’) > V’. 


In order to compare these languages w.r.t. their expressive power I need a seman- 
tic equivalence or preorder e that is defined on a unifying domain of interpreta- 
tion Z, with V, V’ C Z.! Intuitively, v’ e v with v € V and v’ € V’ means that 
values v and v’ are sufficiently alike for our purposes, so that one can accept a 
translation of an expression with meaning v into an expression with meaning v’. 
Below, target values of a translation (in V’) are written on the left. 

Correct and a valid translations up to a semantic equivalence or preorder e~ 
were introduced in [16]. Here I redefine these concepts in terms of a new concept 
of correctness w.r.t. a semantic translation. 


Definition 2. Let V and V’ be domains of values in which two languages £ 
and £’ are interpreted. A semantic translation from V into V’ is a relation 
RCV’ x V such that Vv € V. 3v’ € V’. v'Rv. 


Thus every semantic value in V needs to have a counterpart in V’—possibly mul- 
tiple ones. For valuations ņ : ¥ > V’, p: X > V I write nR p iff n(X)R p(X) 
for each X € X. 


Definition 3. A translation 7 : Te — Tv is correct w.r.t. a semantic transla- 
tion R if [7 (£)]; (n) R [E]; (p) for all expressions E € Tr and all valuations 
n: —> V' and p: X > V with nR p. 


Thus 7 is correct iff the meaning of the translation of an expression E is a 
counterpart of the meaning of E, no matter what values are filled in for the 
variables, provided that the value filled in for a given variable X occurring in 
the translation 7 (E) is a counterpart of the value filled in for X in E. 


Definition 4. A translation 7 : Te — Ts is correct up to e iff e is an 
equivalence, the restriction R of e to V’ x V is a semantic translation, and 7 
is correct w.r.t. R. 


Definition 5. A translation T is valid up to e iff it is correct w.r.t. some 
semantic translation R C e. Language CL’ is at least as expressive as L up to e 
if a translation valid up to e from £ into £’ exists. 


Example 4 in [18] illustrates both notions and shows their difference. 


1 I will be chiefly interested in the case that e is an equivalence—hence the choice 
of a symbol that looks like ~. However, to establish Observation 2 and Theorem 2 
below, it suffices to know that e~ is reflexive and transitive. My convention is that the 
dotted end of e points to a translation and the other end to an original—without 
offering an intuition for the possible asymmetry. 


A Theory of Encodings and Expressiveness 187 


3 Correct = Valid + Congruence 


In [16] the concept of a correct translation up to ~ was defined, for ~ a semantic 
equivalence on Z. Here two valuations 7,p : ¥ — Z are called ~-equivalent, 
n ~ p, if n(X) ~ p(X) for each X € X. In case there exists a v € V for 
which there is no ~-equivalent v’ € V’, there is no correct translation from £ 
into £’ up to ~. Namely, the semantics of £ describes, among others, how any 
£-operator evaluates the argument value v, and this aspect of the language has 
no counterpart in £’. Therefore, [16] requires 


Yue V. av EV’ wv. (1) 
This implies that for any valuation p: Æ — V there is an 7: X — V’ with n ~ p. 


Definition 6 ({16]). A translation 7 from £ into £’ is correct up to ~ iff (1) 
holds and [T(£)],.(n) ~ [E]-(¢) for all E € T and all valuations 7: ¥ > V’ 
and p: X — V with 7 ~ p. 


Note that this definition agrees completely with Definition 4. Requirement (1) 
above corresponds to R being a semantic translation in Definition 4. 

If a correct translation up to ~ from £ into L’ exists, then ~ must be a 
congruence for £. 


Definition 7. An equivalence relation ~ is a congruence for a language £ inter- 
preted in a semantic domain V if [E]; (0) ~ [E]; (p) for any £-expression Æ 
and any valuations v, p: ¥ — V with v ~ p.? 


Proposition 1 ([16]). If Tis a correct translation up to ~ from £ into £; then 
~ is a congruence for £ 


The existence of a correct translation up to ~ from £ into £’ does not imply 
that ~ is a congruence for L’. However, ~ has the properties of a congruence 
for those expressions of £’ that arise as translations of expressions of £, when 
restricting attention to valuations into U := {v € V’ | 3v € V. v’ ~ v}. In [16] 
this called a congruence for T (£L). 


Definition 8. Let 7 : Te — Tv be a translation from £ into £’. An equiva- 
lence ~ on V’ is a congruence for T(L) if [T (E)] (0) ~ [T(E)]-,(n) for any 
Ee€T, and 6,7: *3U with 0~ 7. 


Proposition 2 ((16]). If 7 is a correct translation up to ~ from £ into £’, then 
~ is a congruence for T(L). 


The following theorem tells that the notion of validity proposed in Sect. 2 can 
be seen as a generalisation of the notion of correctness from [16] that applies to 
equivalences (and preorders) e that need not be congruences for £ or T(L). 


Theorem 1. A translation T from £ into £’ is correct up to a semantic equiv- 
alence ~ iff it is valid up to ~ and ~ is a congruence for T(L). q 


2 This is called a lean congruence in [17]; in the presence of recursion, stricter congru- 
ence requirements are common. Those are not needed in this paper. 
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4 A Hierarchy of Expressiveness Preorders 


An equivalence or preorder e on a class Z is said to be finer, stronger, or more 
discriminating than another equivalence or preorder % on Z if v ~ w >v x w 
for all v, w € Z. 


Observation 1. Let 7 : Te — T be a translation from £ into £’, and let ~ 
be finer than &. If 7 is valid up to e~, then it is also valid up to x. 


The quality of a translation depends on the choice of the equivalence or pre- 
order up to which it is valid. Any two languages are equally expressive up to 
the universal equivalence, relating any two processes. Hence, the equivalence 
or preorder needs to be chosen carefully to match the intended applications of 
the languages under comparison. In general, as shown by Observation 1, using 
a finer equivalence or preorder yields a stronger claim that one language can be 
encoded in another. On the other hand, when separating two languages £ and 
L’ by showing that £ cannot be encoded in £’, a coarser equivalence yields a 
stronger claim. 


Observation 2. The identity is a valid translation up to any preorder from any 
language into itself. 


Theorem 2. If valid translations up to e exists from £; into £z and from Lo 
into £3, then there is a valid translation up to e from £; into £3. q 


Theorem 2 and Observation 2 show that the relation “being at least as expressive 
as up to e” is a preorder on languages. 


5 Closed-Term Languages 


The languages considered in this paper feature variables, operators of arity ne, 
and/or other constructs. The set T'; of £-expressions is inductively defined by: 


— X e Tz for each variable X € X, 
— f(Eı,..., En) € To for each n-ary operator f and expressions FE; € Tc, 
— and clauses for the other constructs, if any. 


Examples of other constructs are the infinite summation operator DA zE; of 
CCS, which takes arbitrary many arguments, or the recursion construct u X.E, 
that has one argument, but binds all occurrences of X in that argument. 

In general a construct has a number (possibly infinite) of argument expres- 
sions and it may bind certain variables within some of its arguments—the scope 
of the binding. An occurrence of a variable X in an expression is bound if it 
occurs within the scope of a construct that binds X, and free otherwise. 

The semantics of such a language is given, in part, by a domain of values 
V, and an interpretation of each n-ary operator f of £ as an n-ary operation 
fY : V” = V on V. Using the equations 


[X]-(e) = o(X) and [f(Fi,..-,En)]-(0) = FY El,- [En] et) 
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this allows an inductive definition of the meaning [EZ], of an £-expression E. 
Moreover, [E]-(p) only depends on the restriction of p to the set fu(E) of 
variables occurring free in E. 

The set Te C Tz of closed terms of L consists of those £-expressions E € Te 
with fu(E) = 0. If P € Tc and V £0 then [P];(p) is independent of the choice 
of p: X — V, and therefore denoted [P]-. 


Definition 9. A substitution in £ is a partial function o : ¥ — Tz from the 
variables to the £-expressions. For a given £-expression E € Tz, Elo] €e Te 
denotes the £-expression Æ in which each free occurrence of a variable X € 
dom(c) is replaced by o(X), while renaming bound variables in E so as to avoid 
a free variable Y occurring in an expression o(X) ending up being bound in 
E|o]. A substitution is closed if it has the form a: ¥ —> Tg. 


An important class of languages used in concurrency theory are the ones where 
the distinction between syntax and semantic is effectively dropped by taking 
V = Tz, ie. where the domain of values where the language is interpreted in 
consists of the closed terms of the language. Here a valuation is the same as a 
closed substitution, and [E] .(p) for E € Tz and p: X — Tz is defined to be 
E[p| € Tc. I will call such languages closed-term languages. 


6 Translating a Synchronous into an Asynchronous 7 


As an illustration of the concepts introduced above, consider the z-calculus as 
presented in [28], i.e., the one of [44] without matching, 7-prefixing, and choice. 

Given a set of names N, the set T, of process expressions or terms E of 
the calculus is given by 


E:=X | 0 | ZyE | «(E | EE’ | (vE | !E 


with x,y, z ranging over N, and X over X, the set of process variables. Process 
variables are not considered in [44], although they are common in languages 
like CCS [27] that feature a recursion construct. Since process variables form a 
central part of my notion of a valid or correct translation, here they have simply 
been added. This works generally. In Sect.12 I show that for the purpose of 
accessing whether one language is as expressive as another, translations between 
them can be assumed to be compositional. This important result would be lost if 
process variables were dropped from the language. In that case compositionality 
would need to be stated as a separate requirement for valid translations. 

Closed process expressions are called processes. The m-calculus is usually 
presented as a closed-term language, in that the semantic value associated with 
a closed term is simply itself. Yet, the real semantics is given by a reduction 
relation between processes, defined below. 


Definition 10. An occurrence of a name z in z-calculus process P € T+ is 
bound if it occurs within a subexpression x(z).P’ or (vz)P’ of P; otherwise it 
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is free. Let n(P) (resp. bn(P)) be the set of names occurring (bound) in P € 


Tr. Structural congruence, =, is the smallest congruence relation on processes 
satisfying 
Pi|(Po|P3) = (Pil-P2)|Ps IP = P\!p (vw)(P|Q) = P\(vw)Q 
P |P = P2|Pi (vz)0 = 0 x(z).P = x(w).P{Yz} 
P|0 =P (vz)(vw)P = (vw)(vz)P (vz)P = (vw)P{Yz} . 


Here the rightmost column only holds when w ¢ n(P), and P{/z} denotes the 
process obtained by replacing each free occurrence of z in P by w. 


Definition 11. The reduction relation, => C Tr x Tz, is generated by the 
following rules. 


b 
arpoa > Plovyay © * m(@)) 
P> P P> P Q=P PoP P=Q 
P|Q > P'\Q (vz)P > (vz)P’ Q> Q 


Let => be the reflexive and transitive closure of —. The observable behaviour 
of z-calculus processes is often stated in terms of the outputs they can produce 
(abstracting from the value communicated on an output channel). 


Definition 12. Let x € N. A process P has a strong output barb on x, notation 
P\;z, if P can perform an output action Zz. This is defined inductively: 


Plz Qlz Plz EZ Plz 
(PIQ)lz (P|Q)lz ((vz)P) la (IP)lz 


A process P has a weak output barb on x, P}}z, if there is a P’ with P => P'\!z. 


(t2.(P))La 


A common semantic equivalence applied in the z-calculus is weak barbed con- 
gruence [29,44]. 


Definition 13. Weak (output) barbed bisimilarity is the largest symmetric rela- 
tion & C T, x T, such that 


—~ P&Q and P\|z implies QJ)z, and 
- P Š Q and P => P’ implies Q = Q’ for some Q’ with P’ & Q’. 


xe 


Weak barbed congruence, =°, is the largest congruence included in &. 


Often input barbs, defined similarly, are included in the definition of weak barbed 
bisimilarity [44]. This is known to induce the same notion of weak barbed con- 
gruence [44]. Another technique for defining weak barbed congruence is to use 
a barb, or set of barbs, external to the language under investigation, that are 
added to the language as constants [21], similar to the theory of testing of [9]. 
This method is useful for languages with a reduction semantics that do not fea- 
ture a clear notion of barb, or where there is ambiguity in which barbs should be 
counted and which not, or for comparing languages with different kinds of barb. 
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Example 1. %z.0 ¥° (vu)(Zu.0|u(v).dz.0). 
For let E := X|x(u).tiv.0 with p(X) = &z.0 and ¢(X) = (vu) (Zu.0|u(v).6z.0). 
Then E[¢] > (vu) (u(v).0z.0|uv.0) > (0z.0)|5 but (E[p])¥s. 


The asynchronous z-calculus, as introduced by Honda and Tokoro in [24] and 
by Boudol in [4], is the sublanguage az of the fragment 7 of the -calculus pre- 
sented above where all subexpressions ty. have the form zy.0. Asynchronous 
barbed congruence, SF, is the largest congruence for the asynchronous 1-calculus 
included in Š. Since ar is a sublanguage of 7, =$ is at least as coarse an equiv- 
alence as S°, i.e. S° C S2, The inclusion is strict, since !a(z).éz.0 S$ 0, yet 
la(z).Zz.0 #° 0 [44]. Since all expressions used in Example 1 belong to az, one 
even has £z.0 46 (vu)(Zu.0|u(v).6z.0). 
Boudol [4] defined a translation T from 7 to am inductively as follows: 


T(x) =X for X € X 
T(0) =0 
T(&z.P) = (u)(€ulu(v).(6z|T (P))) choosing u,v ¢ n(P), u # v 
T(a(y).P) = x(u).(v)(tv|v(y).T(P)) choosing u,v ¢ n(P), u # v 
T(PIQ) = (Z(P)IT(Q)) 
T(!P) = !T(P) 
T((vz)P) = (vx)T(P) 


Example 1 shows that 7 is not valid up to &°. In fact, it is not even valid up to 
~¢. However, as shown in [25], it is valid up to &. Since © is not a congruence 
(for m or ar) it is not correct up to *. 


7 Congruence Closure 


Definition 14. An equivalence relation ~ is a 1-hole congruence for a language 
L interpreted in a semantic domain V if [E] .(v) ~ LE] ,(p) for any C-expression 
E and any valuations v,p : YX — V with v ~! p. Here v,p are ~1-equivalent, 
v~! p, if v(X) ~ p(X) for some X € ¥ and v(Y) =p(Y) for all variables Y £ X. 


An n-hole congruence for any finite n € IN can be defined in the same vain, and 
it is well known and easy to check that a 1-hole congruence ~ is also an n-hole 
congruence, for any n € IN. However, in the presence of operators with infinitely 
many arguments, a l-hole congruence need not be a congruence. 


Example 2. Let V be (IN x IN) U {oo}, with the well-order < on V inherited 
lexicographically from the default order on IN and oo the largest element. So 
(n,m) < (n',m’) if n <n’ V (n =mAm < m). Consider the language £ with 
constants 0, 1 and (1), interpreted in V as (0,0), (1,0) and (0,1), respectively, 
the binary operator +, interpreted by (n1, m1) +Y (n2, m2) = (ny +n2,m1+m2) 
and oo+ EF = E+oo0 = ov, and the construct sup(F;)ie7 that takes any number of 
arguments (dependent on the set of the index sets J). The interpretation of sup 
in V is to take the supremum of its arguments w.r.t. the well-order <. In case 
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sup is given finitely many arguments, it simply returns the largest. However 
sup((n, i) iew = (n-+1, 0). 

Now let the equivalence relation ~ on V be defined by (n,m) ~ (n’,m’) iff 
n = n’, leaving oo in an equivalence class of its own. This relation is a 1-hole 
congruence on £. Hence, it is also a 2-hole congruence, so one has 


((n1,™m1) i (ni m4) A (n2, m2) r (n2, m3)) > (n1, mı) + (n2, m2) fg (ni mi) + (n2, m3). 
Yet it fails to be a congruence: (n, i) ~ (n,0) for all i € N, but 
(n+1,0) = sup((n, i))iem % sup((n,0))ien = (n, 0). 


It is well known and easy to check that the collection of equivalence relations on 
any domain V, ordered by inclusion, forms a complete lattice—namely the inter- 
section of arbitrary many equivalence relations is again an equivalence relation. 
Likewise, the collection of 1-hole congruences for £ is also a complete lattice, 
and moreover a complete sublattice of the complete lattice of equivalence rela- 
tions on V. The latter implies that for any collection C of 1-hole congruence 
relations, the least equivalence relation that contains all elements of C (exists 
and) happens to be a 1-hole congruence relation. Again, this is a property that 
is well known [22] and easy to prove. It follows that for any equivalence relation 
~ there exists a largest 1-hole congruence for £ contained in ~. I will denote this 


1-hole congruence by ~}, and call it the congruence closure of ~ w.r.t. L. One 


has vy ~} v2 for v1, v2 € V iff [E].(v) ~ [E](p) for any £-expression E and 
any valuations v,p: ¥ —> V with v(X) =v, and p(X) = v for some X € ¥ and 


V(Y) = p(Y) for all Y # X. Such results do not generally hold for congruences. 


Example 3. Continue Example 2, but skipping the operator +. Let ~p be the 
equivalence on V defined by (n,m) ~p (n’,m’) if n = n'A(m = m'Vm,m' < k). 
It is easy to check that all ~; for k € IN are congruences on the reduced £, and 
contained in ~. Yet their least upper bound (in the lattice of equivalence relations 
on V) is ~, which is not a congruence itself. In particular, there is no largest 
congruence contained in ~. 


When dealing with languages £ in which all operators and other constructs 
have a finite arity, so that each Æ € Tz contains only finitely many variables, 
there is no difference between a congruence and a 1-hole congruence, and thus 
~7* is a congruence relation for any equivalence ~. I will apply the theory of 
expressiveness presented in this paper also to languages like CCS that have 
operators (such as }°,-, Ei) of infinite arity. However, in all such cases I’m 
currently aware of, the relevant choices of £ and ~ have the property that wie 
is in fact a congruence relation. As an example, consider weak bisimilarity [27]. 
This equivalence relation fails to be a congruence for X. However, the coarsest 1- 
hole congruence contained in this relation, often called rooted weak bisimilarity, 
happens to be a congruence. In fact, when congruence-closing weak bisimilarity 
w.r.t. the binary sum, the result [15] is also a congruence for the infinitary sum, 
as well as for all other operators of CCS [27]. 
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Definition 15. Let 7 be a translation from £ into £’. A subset W of V’ is 
closed under T(L) if [T(£)](7) € W for any expression E € Ty and valuation 
n: Æ — W. An equivalence ~ on W is a congruence (respectively 1-hole 
congruence) for T(£) on W if for any E € Ts and 6,n: ¥ > W with O~ 7 
(respectively 0 ~1 7) one has [T(E)],,(0) ~ [T(E)]-,(n). 


Proposition 3. Let 7 be a translation from £ into £’ that is correct w.r.t. a 
semantic translation R C V’ x V. Let R(V) := {v’ € V’ | 3v € V. v'Rv}. Then 
R(V) is closed under T(L). 


Proof: Let E € Tz and 7: X — R(V). Take p : XY — V with pRy. Then 
[T(E)]-.(n)R[E] ,-(p). Since [E] (p) € V one has [T(E)],,(7) € R(V). 


Proposition 4. Let the translation 7 from £ into £’ be correct w.r.t. the 
semantic translation R C ~. Then ~ is a (1-hole) congruence for £ iff it is 
a (1-hole) congruence for T(£) on R(V). 


Proof: First suppose ~ is a congruence for L. Let HE Te and 0,7: ¥ > R(V) 
with 0 ~ 7. By the definition of R(V) there are valuations v,p: ¥ — V with 
0R v andn Rp. Nowvy~6~7~ p, so 


[E] ORE] 0) ~ [E]: (AR ITE) 
and hence [7 (E)] (0) ~ [Z (E)]} (n). The other direction proceeds in the 


same way. 

Now suppose ~ is a 1-hole congruence for £. Let FET and 6,7: ¥ — R(V) 
with 0 ~t 7. Then 6(X) ~ n(X) for some X € ¥ and A(Y) = n(Y) for all 
Y # X. So there must be v,p : X¥ > V with 0 R v, nR p and v(Y) = p(Y) 
for all Y A X. Since v(X) ~ 0(X) ~ n(X) ~ p(X) it follows that v ~t p. The 
conclusion proceeds as above, and the other direction goes likewise. 


The requirement of being a congruence for T(£) on R(V) is slightly weaker 
than that of being a congruence for T(£)—cf. Definition 8—for it proceeds by 
restricting attention to valuations into R(V) C U. q 


8 A Congruence Closure Property for Valid Translations 


In many applications, semantic values in the domain of interpretation of a lan- 
guage £ are only meaningful up to a semantic equivalence ~°, and the intended 
semantic domain could just as well be seen as the set of ~°-equivalence classes 
of values. For this purpose it is essential that ~° is a congruence for £. Often ~s 
is the congruence closure of a coarser semantic equivalence ~, so that two values 
end up being identified iff they are ~-equivalent in every context. An example of 
this occurred in Sect.6, with © in the rôle of ~ and S° in the rôle of ~°. Now 
Theorem 4, contributed in this section, says that if a translation from £ into £’ 
is valid up to ~, then it is even valid up to an equivalence ~ER that extends ~° 
from V to a subdomain W of V’ that suffices for the interpretation of translated 
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expressions from £. This equivalence ~/"p coincides with the congruence closure 
of ~ on £, as well as on 7 (£L), and melts each equivalence class of V with exactly 
one of W, and vice versa. 

Let L and £’ be languages with | |, : Tc ((¥ V) V) and 
[ le: Te > ((¥ = V’) > V’). In this section I assume that V N V’ = 0. To 
apply the results to the general case, just adapt £’ by using a copy of V’—any 
preorder ~ on V U V’ extends to this copy by considering each copied element 
-equivalent to the original. 


Definition 16. Given any semantic translation R, let =r C (V U V’)? be the 
smallest equivalence relation on V U V” containing R. 


Theorem 3. Ifa translation T is correct w.r.t. the semantic translation R, then 
=p is a l-hole congruence for £. q 


By Proposition 4 =, also is a 1-hole congruence for T(£) on R(V). Only the 
subset R(V) of V’ matters for the purpose of translating £ into £’. On V’\R(V) 
the equivalence =p is the identity. 


Theorem 4. Let T be a translation from a language £, with semantic domain 
V, into a language £’, with domain V”, that is valid up to a semantic equivalence 
~. Then T is even valid up to k semantic equivalence ~IR contained in ~, such 
that (1) the restriction of ~}p to V is the largest 1- hele congruence for L£ 
contained in ~, (2) the set W := te EV’ | Iv € V. v’ Ep v} is closed under 
T(L), and (3) the restriction of ~/R to W is the largest F “hake congruence for 
T(L) on W that is contained in ~. q 


mote that each gaara class of ~E R on VUW melts an equivalence class of 

~ER on V with one of ~$ cr on W. Moreover on V the relation is completely 
determined by £ and ~. However, in general the whole relation ~ER is not 
completely determined by £ and ~. q 


Corollary 1. Let 7 be a translation from a language £, with semantic domain 
V, into a language £’, with domain ve valid up to a semantic equivalence ~, 
and suppose the congruence closure ~} P ~ w.r.t. £ is in fact a congruence. 
Then T is correct up to the equivalence ~tr described in Theorem 4. q 


The languages 7 and ar of Sect.6 do not feature operators (or other con- 
structs) of infinite arity. Hence the congruence closure ~1° or ~1¢ of an equiv- 
alence ~ on 7 or ar is always a congruence. So by Corollary 1 Boudol’s trans- 
lation T is correct up to an equivalence Žr R defined on the disjoint union 
of the domains T, and Tar, on which the two languages are interpreted. This 
equivalence is contained in %, and on the source domain T, coincides with S°. 
By Theorem 4, the restriction of & x „R to a subdomain ~ C Tar is the largest 
congruence for 7 (r) on W that is contained in ~. As =S £ is a congruence for all 
of ar on all of Tar, and contained i in &, it is tainly: a congruence for T(r) 
on W, and thus contained in ŠR: This inclusion turns out to be strict. As 
an illustration of that, note that %z.0|%z.0 =° zz.zz0. (This follows since these 
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processes are strong (early) bisimilar [44] and thus strong full bisimilar by (44, 
Definition 2.2.2].) Consequently, their translations must be related by ©, r- So, 
for distinct u,v,y,w,z,z E N, 


(u)(@u|u(v).(Gz|0)) |(u)(Zulu(v).(62|0)) $7 r (y) (Eylu(w).(wz|(u)(ulu(v).(6z|0)))). 


Yet, these processes are not =¢-equivalent, as can be seen by putting them in a 
context «(y).x(y).7(s)|X. There, only the left-hand side has a weak barb 4}-. 


9 Integrating Language Features Through Translations 


The results of the previous section show how valid translations are satisfactory 
for comparing the expressiveness of languages. If there is a valid translation 7 
from £ to L’ up to ~, and (as usual) ~/ is a congruence, then all truths that 
can be expressed in terms of £ can be mimicked in £’. For the congruence classes 
of ~}° translate bijectively to congruence classes of an induced equivalence rela- 
tion on the domain of T(£) (within the domain of £’), and all operations on 
those congruence classes that can be performed by contexts of £ have a perfect 
counterpart in terms of contexts of T(£). This state of affairs was illustrated on 
Boudol’s translation from a synchronous to an asynchronous 7-calculus. 

There is however one desirable property of translations between languages 
that has not yet been achieved, namely to combine the powers of two languages 
into one unified language. If both languages £; and £2 have valid translations 
into a language £’, then all that can be done with £, can be mimicked in a 
fragment of £’, and all that can be done with £2 can be mimicked in another 
fragment of £’. In order for these two fragments to combine, one would like to 
employ a single congruence relation on £’ that specialises to congruence rela- 
tions for Tı (£1) and T2(£2), which form the counterparts of relevant congruence 
relations for the source languages £; and Lo. 

In terms of the translation 7 from 7 to az, the equivalence S on Tar would 
be the right congruence relation to consider for az. Ideally, this congruence would 
extend to an equivalence = ar on the disjoint union Ty W Tar, such that the 
restriction of SF ar to Tr is a congruence for m. Necessarily, this congruence 
on T, would have to distinguish the terms %z.0|%z.0 and %z.%zO, since their 
translations are distinguished by =f. One therefore expects => ,, on Tr to be 
strictly finer than S°. Here it is important that the union of Tr and Tar on 
which this congruence is defined is required to be disjoint. For if one considers 
Tar as a subset of Ty, then we obtain that the restriction of SẸ ar to that subset 
(1) coincides with S$ and (2) is strictly finer than S°. This contradicts the fact 
that S° is strictly finer than S$. 

In Sect. 12 I will show that such a congruence ={ ar indeed exists. In fact, 
under a few very mild conditions this result holds generally, provided that the 
source language £ is a closed-term language. q 
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10 A Unique Decomposition of Terms 


The results of Sect. 12 apply only to languages satisfying two postulates, formu- 
lated below, and to preorders e that “respect =”, defined in Sect. 11. 
Definition 17. a-conversion is the act of renaming all occurrences of a bound 
variable X within the scope of its binding into another variable, say Y, while 
avoiding capture of free variables. Here one speaks of capture when a free occur- 
rence of Y turns into a bound one. 

Write E = F if expression E can be converted into F by acts of a-conversion. 


In languages where there are multiple types of bound variables, = allows con- 
version of all of them. In a z-calculus with recursion, for instance, there could 
be bound process variables X € XY as well as bound names xz € M. The last two 
conversions in the right column of Definition 10 define a-conversion for names. 


Postulate 1 ([16], paraphrased). There exists a class of expressions called 
standard heads, and a class of substitutions called standard substitutions, such 
that for each expression EF, if not a variable, there are unique standard heads H 
and substitutions ø such that E = H{o]. 


A term f(c, g(c)), for instance, can be written as H{o] where H = f(X1, X2) is 
a head, and ø : {X1, X2} — Tz is given by o(X,) = c and o( Xe) = g(c). The 
head H is standardised by means of a particular (arbitrary) choice for its argu- 
ment variables Xı and X2. ø is standardised through a particular choice of the 
bound variables that may occur in the expressions o(X). A head for a recursive 
expression pX.f(g(c),g(g(X))) is uX.f(Y, g(g(X))). See [16] for further detail. 

This postulate is easy to show for each common type of system description 
language, and I am not aware of any counterexamples. However, while striving 
for maximal generality, I consider languages with (recursion-like) constructs that 
are yet to be invented, and in view of those, this principle has to be postulated 
rather than derived. 


11 Invariance of Meaning Under a-conversion 


Write v S% w, with v,w € V, iff there are terms E,F € Tz with E = F, and 
a valuation ¢ : ¥ — V such that [E],(¢) = v and [F],.(¢) = w. This relation 
is reflexive and symmetric. 

In [16] I limited attention to languages satisfying 


if EŠ F then [E]; = [F]; (2) 


This postulate says that the meaning of an expression is invariant under a- 
conversion. It can be reformulated as the requirement that =; is the identity 
relation. This postulate is satisfied by all my intended applications, except for 
the important class of closed-term languages. Languages like CCS and the z- 
calculus can be regarded as falling in this class (although it is also possible to 
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declare the meaning of a term under a valuation to be an -equivalence class of 
closed terms). To bring this type of application within the scope of my theory, 
here I weaken this postulate by requiring merely that =; is an equivalence. 


Postulate 2. =; is an equivalence relation. 


This postulate is needed in Sect. 12. I also need to restrict attention to preorders 
e with =; C e. When that holds I say that the preorder e respects z. If (2) 
holds—which strengthens of Postulate 2—then any preorder respects =. 


12 Compositionality 


An important property of translations, defined below, is compositionality. In this 
section show I that any valid translation up to a preorder e can be modified 
into such a translation that moreover is compositional, provided one restricts 
attention to languages that satisfy Postulates 1 and 2, and preorders e that 
respect =, 


Definition 18. A translation 7 from £ into £’ is compositional if 


(1) T(E[o]) = T(E)[T oo] for each E € Tz and o : fu(E) > Ty, 
(2) E = F implies T(E) = T(F) for all E, F € Te, 
(3) and moreover T(X) = X for each X € X. 


In case E = f(ti,...,tn) for certain t; € Te this amounts to 
T(F hessian) = E;(T(t1),---,T(tn)), where Ey := T(f(X1,..., Xn)) and 
Ep(u1,..., Un) denotes the result of the simultaneous substitution in this expres- 
sion of the terms u; € Te for the free variables X;, for i = 1,...,n. The 
first requirement of Definition 18 is more general and covers language constructs 
other than functions, such as recursion. Requiring equality rather than = is too 
demanding. q 


Lemma 1. If 7 : Te, > Te, and % : Tr, — Te, are compositional 
translations, then so is their composition 72 o 1 : Te, — Tr,, defined by 
Te o T(E) := To(T{(4)) for all E € Ly. 


Proof: (1) Ta(Ti(E[o])) = R(E) © o]) = Ta(Ti(E)) [To o Ti o a) for each 
o: X — Ty, and E € Tz. Here the derivation of the first = uses Property (2) 
of Definition 18—and this is the reason for requiring that property. 
(2) ESF implies T,(£)=T,(F) and P(A (E)) = To(T%i(F)) for all E, FET ¢. 
(3) LTX) = To(X) = X for each X € X. 


Theorem 5. Let £ and £’ be languages that satisfy Postulates 1 and 2, and e~ 
a preorder that respects =; and 4%. If any valid (or correct) translation from 
L into L’ up to e exists, then there exists a compositional translation that is 
valid (or correct) up to e~. q 
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Hence, for the purpose of comparing the expressive power of languages, valid 
translations between them can be assumed to be compositional. For correct 
translations this was already established in [16], but assuming (2), a stronger 
version of Postulate 2. 

I can now establish the theorem promised in Sect. 9. In view of Theorem 5, no 
great sacrifices are made by assuming that the translation 7 is compositional. 
Other “mild conditions” needed are Postulate 2 for £’ and ~ respecting y. 


Theorem 6. Let £ be a closed-term language and £’ a language that satisfies 
Postulate 2. Let 7 be a compositional translation from £ into £’ that is valid 
up to ~. Let ~ be any congruence for L’ containing p and contained in ~. 
Then 7 is correct up to an equivalence %7 on V U V’, contained in ~, that on 
V’ coincides with ~. q 


13 Related Work 


The concept of full abstraction stems from Milner [26]. It indicates a satisfactory 
connection between a denotational and an operational semantics of a language. 
Riecke [42] and Shapiro [45] adapt this notion to translations between languages. 


Definition 19. A translation 7 : Tr, —> Tz, is fully abstract w.r.t. the equiva- 
lences ~s CTZ, and ~r CT%, if, for all P,Q € Tss, P ~s Q & T(P) ~r T(Q). 


In [42,45], ~s and ~r are required to be congruence closures—see [18] for more 
detail. The simplified definition above was used in [1,30,31]. Fu [10] bases a 
theory of expressiveness on full abstraction, with a divergence-preserving form 
of barbed branching bisimilarity [19] in the rôle of ~s and ~r. A comparison of 
full abstraction with the approach of the present paper appears in [18]. 

In the last twenty years, a great number of encodability and separation 
results have appeared, comparing CCS, Mobile Ambients, and several versions 
of the z-calculus (with and without recursion; with mixed choice, separated 
choice or asynchronous) [1,2,5—-8, 11-13, 23, 30-34, 38-41,43,46]; see [20,21] for 
an overview. Many of these results employ different and somewhat ad-hoc crite- 
ria on what constitutes a valid encoding, and thus are hard to compare with each 
other. Several of these criteria are discussed and compared in [35,36]. Gorla [21] 
collected some essential features of these approaches and integrated them in a 
proposal for a valid encoding that justifies most encodings and some separation 
results from the literature. 

Like Boudol [3] and the present paper, Gorla requires a compositional- 
ity condition for encodings. However, his criterion is weaker than mine (cf. 
Definition 18) in that the expression Ey encoding an operator f may be depen- 
dent on the set of names occurring freely in the expressions given as arguments 
of f. This issue is further discussed in [16]. It is an interesting topic for future 
research to see if there are any valid encodability results à la [21] that suffer 
from my proposed strengthening of compositionality. 
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The second criterion of [21] is a form of invariance under name-substitution. 
It serves to partially undo the effect of making the compositionality requirement 
name-dependent. In my setting I have not yet found the need for such a condition. 
In [16] I argue that this criterion as formalised in [21] is too restrictive. 

The remaining three requirements of Gorla (the ‘semantic’ requirements) are 
very close to an instantiation of mine with a particular preorder e~. If one takes 
e to be weak barbed bisimilarity with explicit divergence (i.e. relating divergent 
states with divergent states only), using barbs external to the language, as dis- 
cussed in Sect.6, then an valid translation in my sense satisfies Gorla’s semantic 
criteria, provided that the equivalence = on the target language that acts as a 
parameter in Gorla’s third criterion is also taken to be weak barbed bisimilar- 
ity with explicit divergence. The precise relationships between the proposals of 
[16,21] are further discussed in [37]. 

Further work is needed to sort out to what extent the two approaches have 
relevant differences when evaluating encoding and separation results from the 
literature. Another topic for future work is to sort out how dependent known 
encoding and separation results are on the chosen equivalence or preorder. 
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3 


Abstract. We introduce a general framework for Runtime Verification, 
parameterized with respect to a set of conditions. These conditions are 
encoded in the trace generated by a monitored process, which a monitor 
can observe. We present this parameterized framework in its general form 
and prove that it corresponds to a fragment of HML with recursion, 
extended with these conditions. We then show how this framework can 
be applied to a number of instantiations of the set of conditions. 


1 Introduction 


Runtime Verification (RV) is a lightweight verification technique that checks 
whether a system satisfies a correctness property by analysing the current eze- 
cution of the system [20,29], expressed as a trace of execution events. Using the 
additional information obtained at runtime, the technique can often mitigate 
state explosion problems typically associated with more traditional verification 
techniques. At the same time, limiting the verification analysis to the current exe- 
cution trace hinders the expressiveness of RV when compared to more exhaustive 
approaches. In fact, there are correctness properties that cannot be satisfactorily 
verified at runtime (e.g. the finiteness of the trace considered up to the current 
execution point prohibits the verification of liveness properties). Because of this 
reason, RV is often used as part of a multi-pronged approach towards ensuring 
system correctness [5,6,8, 14, 15,25], complementing other verification techniques 
such as model checking, testing and type checking. 

In order to attain an effective verification strategy consisting of multiple ver- 
ification techniques that include RV, it is crucial to understand the expressive 
power of each technique: one can then determine how to best decompose the 
verification burden into subtasks that can then be assigned to the most appro- 
priate verification technique. Monitorability concerns itself with identifying the 
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properties that are analysable by RV. In [21,22] (and subsequently in [2]), the 
problem of monitorability was studied for properties expressed in a variant of the 
modal y-calculus [26] called wHML [28]. The choice of the logic was motivated 
by the fact that it can embed widely used logics such as CTL and LTL, and 
by the fact that it is agnostic of the underlying verification method used—this 
leads to better separation of concerns and guarantees a good level of generality 
for the results obtained. The main result in [2,21,22] is the identification of a 
monitorable syntactic subset of the logic WHML (i.e., a set of logical formulas for 
which monitors carrying out the necessary runtime analysis exist) that is shown 
to be maximally expressive (i.e., any property that is monitorable in the logic 
may be expressed in terms of this syntactic subset). We are unaware of other 
maximality results of this kind in the context of RV. 

In this work we strive towards extending the monitorability limits identi- 
fied in [2,21,22] for wHML. Particularly, for any logic or specification language, 
monitorability is a function of the underlying monitoring setup. In [2, 21,22], 
the framework assumes a classical monitoring setup, whereby a (single) monitor 
incrementally analyses an ordered trace of events describing the computation 
steps that were executed by the system. A key observation made by this paper 
is that, in general, execution traces need not be limited to the reporting of events 
that happened. For instance, they may describe events that could not have hap- 
pened at specific points in the execution of a system. Alternatively, they may also 
include descriptions for depth-bounded trees of computations that were possible 
at specific points in an execution. We conjecture that there are instances where 
this additional information can be feasibly encoded in a trace, either dynami- 
cally or by way of a pre-processing phase (based, e.g., on the examination of logs 
of previous system executions, or on the full static checking of sub-components 
making up the system). More importantly, this additional information could, in 
principle, permit the verification of more properties at runtime. 

The contribution of this paper is a study of how the aforementioned aug- 
mented monitoring setups may affect the monitorability of wHML, potentially 
extending the maximality limits identified in [2,21,22]. More concretely: 


1. We show how these aspects can be expressed and studied in a general monitor- 
ing framework with (abstract) conditions, Theorems 3 and 4 resp. in Sects. 3 
and 5. 

2. We instantiate the general framework with trace conditions that describe the 
inability to perform actions, amounting to refusals [31], Propositions 1 and 5. 

3. We also instantiate the framework with conditions describing finite exe- 
cution graphs, amounting to the recursion-free fragment of the logic [24], 
Propositions 2 and 3. 

4. Finally, we instantiate the framework with trace conditions that record infor- 
mation from previous monitored runs of the system, Proposition 4. This, in 
turn, leads us to a notion of alternating monitoring that allows monitors to 
aggregate information over monitored runs. We show that this extends the 
monitorable fragment of our logic in a natural and significant way. 
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The remainder of the paper is structured as follows. After outlining the necessary 
preliminaries in Sect.2, we develop our parameterized monitoring framework 
with conditions in Sect. 3 for a monitoring setup that allows monitors to observe 
both silent and external actions of systems. The two condition instantiations for 
this strong setting are presented in Sect. 4. In Sect. 5 we extend the parameterized 
monitoring framework with conditions to a weak monitoring setup that abstracts 
from internal moves, followed by two instantiations similar to those presented in 
Sect. 4. Section 6 concludes by discussing related and future work. 


2 Background 


Labelled Transition Systems. We assume a set of external actions ACT and 
a distinguished silent action T. We let a range over ACT and p over ACTU {7}. 
A Labelled Transition System (LTS) on ACT is a triple 


L= (P, ACT, 1), 


where P is a nonempty set of system states referred to as processes p,q,..., and 
>z; C P x (ACTU {r}) x P is a transition relation. We write p “+, q instead 
of (p,u,q) E >L. By p £, we mean that there is some q such that p “+r q. 
We use p 4, q to mean that, in L, p can derive q using a single u action 
and any number of silent actions, ie., p(>z)* 5r (> )*q. We distinguish 
between (general) traces s = pifig... Uy E (ACTU {r})* and external traces t = 
aja g...a, € ACT®. For a general trace s = pjp2... ur E (ACTU {r})*, p zq 


pı be br 
LL ... =; q; and for an external trace t = a,;a9...a, E ACT’, 


means p 
p A; q means p S, ; ... S; q when r > 1 and p(>)*q when t = e is 
the empty trace. We occasionally omit the subscript L when it is clear from the 
context. 


Example 1. The (standard) regular fragment of CCS [30] with grammar: 
p,q E€ PROC ::= nil | up | p+q | rec z.p | 2, 


where x, y,z,... are from some countably infinite set of variables VAR, and the 

transition relation defined as: 

H H 7 H ! 
rec ©.p 

Act—— Rec get POP gp 2d 
B , War 
H-P > P recv.p —> q p+rq—p prq—q 
constitutes the LTS (PROC, ACT, >). We often use the CCS notation above to 
describe processes. E 


Specification Logic. Properties about the behaviour of processes may be spec- 
ified via the logic „HML [4,28], a reformulation of the modal p-calculus [26]. 
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Definition 1. wHML formulae on ACT are defined by the grammar: 


p, Y € wHML ::= tt | ff | pAw | ovy 
| (Hue | [ule | minXp | maxX |X 


where X,Y,Z,... come from a countably infinite set of logical variables LVAR. 
For a given LTS L = (P, ACT, >), an environment p is a function p: LVAR > 
2P. Given an environment p, X € LVAR, and S C P, pix — S] denotes the 
environment where p| X > S](X) = S and p| X = S|(Y) = p(Y), for all Y AX. 
The semantics of a wHML formula y over an LTS L relative to an environment 
p, denoted as |p, p]z, is defined as follows: 


[tt, pln = P [Fel =9 LX, ple = p(x) 
[yi Aya, plz = [p1 ele N [p2 Plz [yi Vey, plz = [¢1, plz VU lez, ele 
lule, olz= fp | Yq. p = q implies q € [elz } 


Keo elr= fp | 3q. p > q and qE leol} 
[min X., plL = Nis | $2 [p PX = S]]z} 
[max X.y, p] = Uis | S c lp PiX = Sll} 


Formulas p and w are equivalent, denoted as p = w, when [y, plr = IY, plz for 
every environment p and LTS L. We often consider closed formulae and simply 
write |y]z for [p,p] when the semantics of p is independent of p. E 


The logic uHML is very expressive. It is also agnostic of the technique to be 
employed for verification. The property of monitorability, however, fundamen- 
tally relies on the monitoring setup considered. 


Monitoring Systems. A monitoring setup on ACT is a triple (M, I, L}, where 
L is a system LTS on ACT, M is a monitor LTS on ACT, and J is the instru- 
mentation describing how to compose L and M into an LTS, denoted by 
I(M,L), on ACT. We call the pair (M,I) a monitoring system on ACT. For 
M = (Mon, ACT, >m), MON is set of monitor states (ranged over by m) and 
— m İs the monitor semantics described in terms of the behavioural state tran- 
sitions a monitor takes when it analyses trace events u E€ ACTU {r}. The states 
of the composite LTS I(M, L) are written as m <p, where m is a monitor state 
and p is a system state; the monitored-system transition relation is denoted here 
by —1(u,L). We present our results with a focus on rejection monitors, i.e., 
monitors with a designated rejection state no, and hence safety fragments of the 
logic wHML. However, our results and arguments apply dually to acceptance 
monitors (with a designated acceptance state yes) and co-safety properties; see 
[21,22] for details. 
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Definition 2. Fix a monitoring setup (M,I,L) on AcT and let m be a mon- 
itor state of M and y a closed formula of HML on ACT. We say that m 
(M, I)-rejects (or simply rejects, if M,I are evident) a process p in L, written 
as rejim, 1,1)(M, p), when there are a process q in L and a trace s E€ (ACTU{T})* 
such that m<p s7(M,L) no<q. We say that m (M,I)-monitors for p on L 
whenever 


for each process p of L, rejim, 1,1)(m, p) if and only if p ¢ [plx- 


(Subscripts are omitted when they are clear from the context.) Finally, m (M, I)- 
monitors for p when m (M,I)-monitors for p on L for every LTS L on ACT. 
The monitoring system (M,I) is often omitted when evident. a 


We define monitorability for wHML in terms of monitoring systems (M, J). 


Definition 3. Fiz a monitoring system (M,I) and a fragment A of uHML. We 
say that (M,1) rejection-monitors for A whenever: 


- For all closed ọ € A, there exists an m from M that (M,I)-monitors for y. 
- For allm of M, there exists a closed p € A that is (M,I)-monitored by m. W 


We note that if a monitoring system and a fragment A of “HML satisfy 
the conditions of Definition 3, then A is the largest fragment of wHML that is 
monitored by the monitoring system. Stated otherwise, any other logic fragment 
A’ that satisfies the conditions of Definition 3 must be equally expressive to 
A, ie., Vy! E€ A’- dy E€ A-y = ¢’ and vice versa. Definition 3 can be dually 
given for acceptance-monitorability, when considering acceptance monitors. We 
next review two monitoring systems that respectively rejection-monitor for two 
different fragments of WHML. We omit the corresponding monitoring systems 
for acceptance-monitors, that monitor for the dual fragments of wHML. 


The Basic Monitoring Setup. The following monitoring system, presented 
in [2], does not distinguish between silent actions and external actions. 


Definition 4. A basic monitor on ACT is defined by the grammar: 
m,n E€ MON, = end | no | wm | m+n | recaum | a, 


where x comes from a countably infinite set of monitor variables. Constant no 
denotes the rejection verdict state whereas end denotes the inconclusive verdict 
state. The basic monitor LTS M, is the one whose states are the closed monitors 
of MON, and whose transition relation is defined by the (standard) rules in 
Table 1 (we elide the symmetric rule for m +n). E 


Note that by rule MVRD in Table 1, verdicts are irrevocable and monitors can 
only describe suffix-closed behaviour. 
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Table 1. Behaviour and instrumentation rules for monitored systems (v€{end, no}). 


Monitor semantics 


E 
m—m! 


H 1 
= 
uRnomicesin(el >m. mgm- =m MÄT; MVRD 
rec t.m —m' m+n — m’ umm v—>v 
Instrumentation semantics 
fy E, te EEA oe i 
m n A 
IMon?—42 m” ITER HI M_ ABS ae 
mip 1(M,L) "19 map 1(M,L)end<g map—~ 1(M,L)™<4 


Definition 5. Given a system LTS L and a monitor LTS M that agree on 
ACT, the basic instrumentation LTS, denoted by I,(M,L), is defined by the 
rules IMON and ITER in Table 1. (We do not consider rule 1ABS for now.) Tl 


Instrumentation often relegates monitors to a passive role, whereby a moni- 
tored system transitions only when the system itself can. In rule IMON, when the 
system produces a trace event u that the monitor is able to analyse (and tran- 
sition from m to n), the constituent components of a monitored system m < p 
move in lockstep. Conversely, when the system produces an event u that the 
monitor is unable to analyse, the monitored system still executes, according to 
ITER, but the monitor transitions to the inconclusive state, where it remains for 
the rest of the computation. 

We refer to the pair (Mp, Ia) from Definitions 4 and 5 as the basic monitoring 
system. For each system LTS L that agrees with the full monitoring system on 
ACT, we can show a correspondence between the respective monitoring setup 
(Mb, Ip, L) and the following syntactic subset of wHML. 


Definition 6. The safety wHML is defined by the grammar: 
6,x%€sHML::= tt | fF | [uJO | 0Ax | max X.0 | X E 


Theorem 1 ([2]). The basic monitoring system (Mp, Ip) monitors for the log- 
ical fragment sSHML. 


The proof of Theorem 1 relies on a monitor synthesis and a formula synthesis 
function. The monitor synthesis function, (—) : sHML — Mons, is defined on 
the structure of the input formula and assumes a bijective mapping between 
formula variables and monitor recursion variables: 


(tt) = end (ff) = no (xX) = 
_ jend if(y) =end ma _ jend if (Y) = end 
(laiv) = ee otherwise nese = f x.y) otherwise 
(v1) if (Y2) = end 
(1 A da) = 4 (2) if (v1) = end 


(1) + (v2) otherwise 
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The case analyses in the above synthesis procedure handle some of the redun- 
dancies that may be present in formula specifications. For instance, it turns out 
that max X.[j]tt = tt and, accordingly, (max X.[u]tt) = (tt) = end. The formula 
synthesis function is defined analogously (see [2,22] for more details). 


Monitoring for External Actions. The results obtained in [21,22] can be 
expressed and recovered within our more general framework. We can express a 
weak version of the modalities employed in [3, 21,22] as follows: 


[lu] p = max X.([T]X A [u]max Y.(y A [r]Y)) and 
((u))e = min X.((7).X V (u)min Y.(y V (r)Y)). 


Definition 7. Weak safety wHML, presented in [21,22], is defined by the 
grammar: 


m,k E€ WsHML::= tt | ff | [a]r | tAK | mxXr | X.E 


Definition 8. The set MON, of external monitors on ACT contains all the basic 
monitors that do not use the silent action T. The corresponding external monitor 
LTS Me, is defined similarly to My, but with the closed monitors in MON, as 
its states. External instrumentation, denoted by Ie, is defined by the three rules 
IMON, ITER and I1ABS in Table 1, where in the case of IMON and ITER, action 
u is substituted by the external action a. We refer to the pair (Me, Ie) as the 
external monitoring system, amounting to the setup in [21, 22). a 


Theorem 2 ((22]). The external monitoring system (Me, Ie) rejection-monitors 
for the logical fragment WsHML. 


3 Monitors that Detect Conditions 


Given a set of processes P, a pair (C,r) is a condition framework when C is a 
non-empty set of conditions and r : C > 2? is a valuation function. We assume 
a fixed condition framework (C,r) and we extend the syntax and semantics of 
LHML so that for every condition c € C, both c and ~c are formulas and for 
every LTS L on set of processes P, [c] = r(c) and [>e] = P \ r(e). We call 
the extended logic HMLE”), Since, in all the instances we consider, r is easily 
inferred from C, it is often omitted and we simply write C instead of (C,r) 
and pHML(O” as JHML®. We say that process p satisfies c when p € [c]. We 
assume that C is closed under negation, meaning that for every c € C, there is 
some c’ € C, such that [c] = [>c]. Conditions represent certain properties of 
processes that the instrumentation is able to report. 

We extend the syntax of monitors, so that if m is a monitor and c a condition, 
then c.m is a monitor. The idea is that if c.m detects that the process satisfies 
c, then it can transition to m. 
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Definition 9. A basic C-monitor on ACT is defined by the grammar: 
m,n € Mong := end | no | wm | am | m+n | recam | a, 


where x comes from a countably infinite set of monitor variables and c € C. 
Basic C'-monitor behaviour is defined as in Table 1, but allowing u to range over 
AcTUCU{r}. We call the resulting monitor LTS MẸ. a 


A monitor detects the satisfaction of condition c when the monitored system 
has transitioned to a process that satisfies c. To express this intuition, we add 
rule ICON to the instrumentation rules of Table 1: 


Con 2E [c] and m m n 


m <p D m,r) nap 


We call the resulting instrumentation I’. We observe that the resulting monitor 
setup is transparent with respect to external actions: an external trace of the 
monitored system results in exactly the same external trace of the instrumenta- 
tion LTS. However, the general traces are not preserved, as the rule ICON may 
introduce additional silent transitions for the instrumentation trace. However, 
we argue that this is an expected consequence of the instrumentation verifying 
the conditions of C. C-monitors monitor for sHML°: 


Definition 10. The strong safety fragment of wHML® is defined as: 
y,y €sHML° := tt | fF | [uly | mceve | pAb | maxX |X, 


where c € C. We note that ~c V p can be viewed as an implication c > 
asserting that if c holds, then p must also hold. | 


It is immediate to see that sHML is a fragment of wHML® and when C C 
LHML, it is also a fragment of wHML. Finally, if C is closed under negation, 
then =c V y can be rewritten as c’ V p, where |e] = [>c], and in the following 
we often take advantage of this equivalence to simplify the syntax of sHML®. 


Theorem 3. The monitoring system (ME, IF) monitors for sSHMLY. 


We note that Theorem 3 implies that sHML® is the largest monitorable 
fragment of uHML“, relative to C. 


4 Instantiations 


We consider two possible instantiations for parameter C' in the framework pre- 
sented in Sect. 3. Since each of these instantiations consists of a fragment from 
the logic wHML itself, they both show how monitorability for wHML can be 
extended when using certain augmented traces. 
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4.1 The Inability to Perform an Action 


The monitoring framework of [2,22] (used also in other works such as [18,19]), 
is based on the idea that, while a system is executing, it performs discrete com- 
putational steps called events (actions) that are recorded and relayed to the 
monitor for analysis. Based on the analysed events, the monitor then transi- 
tions from state to state. One may however also consider instrumentations that 
record a system’s inability to perform a certain action. Examples of this arise 
naturally in situations where actions are requested unsuccessfully by an external 
entity on a system, or whenever the instrumentation is able to report system 
stability (i.e., the inability of performing internal actions). For instance, such 
observations were considered in [1,31], in the context of testing preorders. 

In our setting, a process is unable to perform action u exactly when it satisfies 
(uff. For monitors that are able to detect the inability or failure of a process to 
perform actions, we set FAor = {[u]ff | uw E€ ACTU {7}} as the set of conditions. 
By Theorem 3, the resulting maximal monitorable fragment of “HML is given 
by the grammar: 


p,p E sHML™* ::= tt | ff | [ule | (u)tt Vy 
| pAw | max X.p | xX. 


We note the fact that wHML is closed under negation, where —[s.|ff = (pytt. 


Proposition 1. The monitoring system (MES, 1p) monitors for the logical 


fragment sSHML‘*". 


A special case of interest are monitors that can detect process stability, i.e., 
processes satisfying [7]ff. Such monitors monitor for sHML¢I"! | namely sHML 
from Definition 6 extended with formulas of the form (r)tt V y. 


4.2 Depth-Bounded Static Analysis 


In multi-pronged approaches using a combination of verification techniques, one 
could statically verify parts of a program (from specific execution points) with 
respect to certain behavioural properties using techniques such as Bounded 
Model Checking [11] and Partial Model Checking [7]. Typical examples arise in 
component-based software using modules, objects or agents that can be verified 
in isolation. This pre-computed verification can then be recorded as annotations 
to a component and subsequently reported by the instrumentation as part of 
the execution trace. This strategy would certainly be feasible for depth-bounded 
static analysis for which the original logic HML [24]—the recursion-free fragment 
of “HML given below—is an ideal fit. 


mxX€HML:= tt | fF | nAx |nvx | iajn | (un. 


Again, HML is closed under negation [4]. If we allow monitors to detect the 
satisfaction of these kinds of conditions, then, according to Theorem 3, the 
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maximal fragment of HML that we can monitor for, with HML as a condi- 
tion framework, is sHMLEM" defined by the following grammar: 


p,p := tt | fF | fe |nve | p^% | maxX |X, 


where 7 € HML. Another way to describe sHML™" is as the LHML fragment 
that includes all formulas whereby for every subformula of the form y V Y, at 
most one of the constituent subformulas y, Y uses recursion. 


Proposition 2. The monitoring system (i a re) monitors for the logical 
fragment SHML™™ME, 


Instead of HML, we can alternatively use a fragment HML? of HML that 
only allows formulas with nesting depth for the modalities of at most d. Since 
the complexity of checking HML formulas is directly dependent on this modal 
depth, there are cases where the overheads of checking such formulas are deemed 
to be low enough to be adequately checked for at runtime instead of checking 
for them statically. 


5 Extending External Monitorability 


We explore the impact of considering traces that encode conditions from Sect. 3 
on the monitorability of the weak version of the logic used in [21,22]: 


y,w E€ WuHML ::= tt | ff | pAw | pV 
| ae | lalle | minX.p | maxX.p |X. 


This version of the logic abstracts away from internal moves performed by the 
system—note that the weak modality formulas are restricted to external actions 
a as opposed to the general ones, u. The semantics follows that presented in 
Sect. 2, but can alternatively be given a more direct inductive definition, e.g. 


[[lally, o] = {p | Va. p+ q implies q € [y, p]}- 


The main aim of this section is to extend the maximally-expressive monitorable 
subset of “HML that was identified in [21,22] using the framework developed in 
Sect. 3. 


5.1 External Monitoring with Conditions 


We define the external monitoring system with conditions similarly to Sect. 3. 
The syntax of Definition 8 is extended so that, for any instance of C, if m isa 
monitor and c a condition from C, then c.m is a monitor. 
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Definition 11. An external C-monitor on ACT is defined by the grammar: 
m,n € MONS ::= end | no | am | cem | m+n | recam | a, 


where c € C. C-monitor behaviour is defined as in Table 1, but extending rule 
MACT to condition prefixes that generate condition actions (i.e., u ranges over 
AcTUC). We call the resulting monitor LTS ME. 

For the instrumentation relation called IC, we consider the rules IMON, ITER 
from Table 1 for external actions a instead of the general action u, rule 1ABS 
from the same table, and rule ICON from Sect. 3. | 


Note that the monitoring system (M°,I°) may be used to detect 7- 
transitions implicitly—we conjecture that this cannot be avoided in general. 
Consider two conflicting conditions cı and c2, i.e., [ci]A[c2]=0. Definition 11 
permits monitors of the form c,.cg.m that encode the fact that state m can only 
be reached when the system under scrutiny performs a non-empty sequence of 
T-moves to transition from a state satisfying cı to another state satisfying co. 
This, in some sense, is also related to obscure silent action monitoring studied 
in [2]. 

We identify the grammar for the maximally-expressive monitorable syntactic 
subset of the logic WuHML. It uses the formula [[e]]y defined as: 


[[e]]e = max X.(¢ A [7] X) 


The modality [[e]]y quantifies universally over the set of processes that can be 
reached from a given one via any number of silent steps. Together with its dual 
((e))y modality, [[e]]y is used in the modal characterisation of weak bisimilarity 
[30,34], in which 7 transitions from one process may be matched by a (possibly 
empty) sequence of 7 transitions from another. 


Definition 12. The weak safety fragment of WuHML with C is defined as: 


yp, E€ WsHML® = tt | ff | [lelle | Tlell(rev p) 
| pAp | maxXp |X, 
where c € C. o] 
Theorem 4. The monitoring system (MẸ, IC) monitors for WsHML°. 


We highlight the need to insulate the appearance of the implication ~c V y 
from internal system behaviour by using the modality [[e]] in Definition 12. For 
conditions that are invariant under 7-transitions, this modality is not required 
but it cannot be eliminated otherwise; we revisit this point in Example 2. 


5.2 Instantiating External Monitors with Conditions 


We consider three different instantiations to our parametric external monitoring 
system of Sect. 5.1. 
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Recursion-Free Formulas. The weak version of HML, denoted by wHML, is 
the recursion-free fragment of WuHML. Similarly to what was argued earlier in 
Sect. 4.2, it is an appropriate set of conditions to instantiate set C in WsHMLY, 
and the maximal monitorable fragment of WuwHML with conditions from wHML 
is WsHMLY™ML defined by the following grammar, where n € wHML: 


gwr= tt | fF | [lelle | levy) | eae | maxX |X. 


Proposition 3. The monitoring system (MZEML, [WHML) monitors for the log- 
ical fragment WSHMLY™Y, 


An important observation (that is perhaps surprising) is that WsHMLY"ML 


is not a fragment of WuHML, as the following example demonstrates. 


Example 2. Although for any (closed) WsHML formula y we have the logical 
equivalence [[e]]}y = p (notice that the monitor for y that is guaranteed by 
Theorem 2 also monitors for [[e]]y), this logical equivalence does not hold for a 
formula y from WuHML. Consider the formula pe below that may be expressed 
using a formula from WsHMLYE™!, 


pe = [fel ((a))tt = [lel] (((a))tt V ff) € WsHMLY YME, 


Formula y, is not equivalent to ((a))tt (e.g. the process a.nil + 7.nil satisfies 
((a))tt, but not pe) meaning that [[e]] plays a discerning role in the context of 
WuHML. Furthermore, pe holds for process 7.a.nil, but not for a.nil+7.nil, even 
though these two processes cannot be distinguished by any W uHML formula. In 
fact, it turns out that they are bisimilar with respect to weak external transitions 
and this bisimulation characterises the satisfaction of WuHML formulas [24]. 
Thus, there is no formula in WuHML that is equivalent to pe. a 


Previous Runs and Alternating Monitoring. A monitoring system could 
reuse information from previous system runs, perhaps recorded as execution logs, 
and whenever (sub)traces can be associated with specific states of the system, 
these can also be used as an instantiation for our parametric framework. More 
concretely, in [21,22] it is shown that traces can be used to characterise the 
violation of WsHML formulas, or the satisfaction of formulas from the dual 
fragment, WcHML, defined below. 


Definition 13. The co-safety WuHML is defined by the grammar: 
m,k E WcHML := tt | ff | ((a))O | OVx | mnX0 | Xg 
The witnessed rejection and acceptance traces can in turn be used as part of an 


augmented trace for an instantiation for C to obtain the monitorable dual logics 
WsHMLW°®ML and WceHMLWS™E that alternate between rejection monitoring 
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and acceptance monitoring. The logic WsHMLW°EM" 


grammar, where 0 € WsHML: 


is defined by the following 


ywe= tt | ff | [ale | [Ove | erp | maxX |X; 
and WcHMLWS™LI is defined by the following grammar, where y € WcHML: 
pAu= tt | ff | Car | (le))(xAn) | ryk | minX.p |X. 


Proposition 4. The monitoring system (MVEME, [WcHML) 


for the logical fragment WSHMLW&™" , 


rejection-monitors 


One should observe that in this case, WSHMLW"™" js a fragment of WuHML, 
in contrast to the previous instantiation WsHML“"™™" from Sect. 5.2. 


Lemma 1. For every [[e]](n V y) € WsHMLW®™E (where n € WsHML), we 
have [lel](n V p) = nV 9. 


Corollary 1. For every formula in WsHMLWcHML 


lent formula in WuHML. 


, there is a logically equiva- 


This entails that WsHMLW™®™™ can be reformulated using the following, 
simpler, grammar (here 7 € WsHML) which is clearly a fragment of WuHML: 


gwi= tt | ff | fale |nve | vAw | mxo |X. 


If the monitoring system can use such information from previous runs, there is no 
reason to limit this information to just one previous run. If the instrumentation 
mechanism can record up to i prior runs, the monitorable logic may be described 
as WsHML'*", defined inductively in the following way: 


— WsHML* = WsHML and WcHML' = WcHML; and . 
— WsHML*t! = WsHMLW#M™ and WcHML‘*? = WcHML™S8M™", 


Whenever this setup can be extended to unlimited prior runs, the resulting 
rejection-monitorable fragment would be WsHML” = (J; WsHML’, which is 
also described by the following grammar: 


gor= tt | ff | il] | yvy | pray | maxXxyp |X. 


WsHML-” is a non-trivial extension of WsHML which is still within WuHML. 


Failure to Execute an Action and Refusals. In Subsect. 4.1, we instantiated 
the condition set C as the set of formulas from “#HML that assert the inability of 
a process to perform an action. These formulas are of the form [a]ff. We recast 
this approach in the setting of weak monitorability. In this setting where the 
monitoring system and the specification formulas ignore any silent transitions, 
the inability of a process to perform an a-transition acquires a different meaning 
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from the one used for the basic system. In particular, we consider a stronger 
version of these conditions that incorporates stability; this makes them invariant 
over T-transitions. We say that p refuses a when p % and p ~. In [31], a very 
similar notion is used for refusal testing (see also [1]). Thus, much in line with 
[31], we use the following definition. 


Definition 14. A process p of an LTS L refuses action a € ACT and write 
p ref a when p Lr and p Èz. The set of conditions that corresponds to refusals 
is thus Racr = {[TIfFA [alff| a € ACT}. a 


According to Theorem 4, the largest fragment of w.HML that we can mon- 
itor for, using monitors that can detect refusals, is WsHML®4«", given by the 
following grammar: 


p,p = tt | ff | ally | [eltt v (a) tt v p) 
| pAw | max X.p | X. 


Again, (7)tt V (a)tt V ọ is best read as the implication ([r]ff A [a]ff) — y: if 
the process is stable and cannot perform an a-transition, then y must hold. 


Proposition 5. The monitoring system (MP4, I®act) monitors for the logical 
fragment WsHML®*", 


Example 3. Consider the formula 
Ps = [le] (Ttt v (a)tt v [[ GI] fF) € WsHML?*", 


Formula ys claims that at every stable state that the system can reach, if action 
a is impossible, then action @ should also be impossible. We can see that y, 
is true for 7.nil+ G.nil, but not for @.nil. However, the two processes cannot 
be distinguished by WuHML, as they have the same weak external transitions. 
Therefore, WsHML®4" is not a fragment of WuHML—but, as we have seen, it 
is a fragment of #HML. Here we have a part of the formula that clearly is not 
part of WuHML. That is (7)tt, which asserts that the process can perform a 
silent transition. a 


Example 4. Let us consider an LTS Lo of stable processes—that is, Do is an 
LTS without any silent transitions. Lo offers a simplified setting to cast our 
observations. In this case, the [[e]], [r], and (7) modalities can be eliminated 
from our formulas, and weak modalities are equivalent to strong modalities. 
This allows us to simplify the grammar for WsHML?*" as follows: 


g,pu= tt | ff | [ale | (att V p 
| pAw | max X.p | xX. 


Perhaps unsurprisingly, this grammar yields the same formulas as the restriction 
of grammar of Subsect. 4.1 on external actions. An instance of a specification that 
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can be formalized in this fragment is the following. Consider a simple server-client 
system, where the client can request a resource, which is represented by action 
rq, and the server may give a positive response, represented by action rs, after 
which it needs to allocate said resource to the client, represented by action al. 
A reasonable specification for the server is that if it is impossible at the moment 
to provide a resource, then it should not give a positive response to the client. 
In the above simplification of WsHML?**, this specification can be formalized 
as [rq]((al)tt v [rs]ff). If the LTS includes silent transitions, the corresponding 
specification would be written as 


pr = [rql[le]]((7)tt v (al)tt v [[rs]]ff). 


In other words, after a request, if the server cannot provide a resource and it 
is stable—so, there is no possibility that after some time the resource will be 
available—then the server should not give a positive response to the client. W 


6 Conclusions 


In order to devise effective verification strategies that straddle between the pre- 
and post-deployment phases of software production, one needs to understand 
better the monitorability aspects of the correctness properties that are to be 
verified. We have presented a general framework that allows us to determine 
maximal monitorable fragments of an expressive logic that is agnostic of the 
verification technique employed, namely wHML. By way of a number of instan- 
tiations, we also show how the framework can be used to reason about the mon- 
itorability induced by various forms of augmented traces. Our next immediate 
concern is to validate the proposed instantiations empirically by constructing 
monitoring systems and tools that are based on these results, as we did already 
for the original monitorability results of [21,22] in [9, 10,12]. 


Related Work. Monitorability for “.HML was first examined in [21,22]. This work 
introduced the external monitoring system and identified WsHML as the largest 
monitorable fragment of “HML, with respect to that system. The ensuring work 
in [2] focused on monitoring setups that can distinguish silent actions to a varying 
degree, and introduced the basic monitoring system, showing analogous moni- 
torability results for wHML. 

Monitorability has also been examined for languages defined over traces, 
such as LTL. Pnueli and Zaks in [32] define a notion of monitorability over 
traces, although they do not attempt maximal monitorability results. Diekert 
and Leuckert revisited monitorability from a topological perspective in [16]. 
Falcone et al. in [17] extended the work in [32] to incorporate enforcement 
and introduced a notion of monitorability on traces that is parameterized with 
respect to a truth domain that corresponds to our separation to acceptance- 
and rejection-monitorable properties. In [13], the authors use a monitoring sys- 
tem that can generate derivations of satisfied formulas from a fragment of LTL. 
However, they do not argue that this fragment is somehow maximal. There is 
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a significant body of work on synthesizing monitors from LTL formulas, e.g. 
(13, 23,33,35], and it would be worth investigating whether our general tech- 
niques for monitor synthesis can be applied effectively in these cases. 

Phillips introduced refusal testing in [31] as a way to extend the capabilities 
of testing (see [18] for a discussion on how our monitoring setup relates to testing 
preorders). The meaning of refusals in [31] is very close to the one in Definition 14 
and it is interesting to note how Phillips’ use of tests for refusal formulas is 
similar to our monitoring mechanisms for refusals. Abramsky [1] uses refusals in 
the context of a much more powerful testing machinery, in order to identify the 
kind of testing power that is required for distinguishing non-bisimilar processes. 

The decomposition of the verification burden across verification techniques, 
or across iterations of alternating monitoring runs as presented in Sect. 5, can be 
seen as a method for quotienting. In [7] Andersen studies quotienting of the spec- 
ification logics discussed in this paper to reduce the state-space during model 
checking and thus increase its efficiency (see also [27] for a more recent treat- 
ment). The techniques used rely heavily on the model’s concurrency constructs 
and may produce formulas that are larger in size than the original, but which 
can be checked against a smaller component of the model. In multi-pronged 
approaches to verification one would expect to encounter similar difficulties 
occasionally. 
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Abstract. The study of modal logics and various bisimulation equiv- 
alences so far shows the following progression: 1. weak bisimilarity is 
characterized by Hennessy-Milner logic (HML), a simple propositional 
modal logic with a weak possibility modality, and 2. extending HML by 
refining the weak possibility modality one obtains a logic which char- 
acterizes branching bisimilarity, a refinement of weak bisimilarity, and 
3. further extending the logic with a divergence modality one obtains 
a logic which characterizes branching bisimilarity with explicit diver- 
gence, a refinement of branching bisimilarity. In this paper, we explore 
the development by exchanging the above 2 and 3, i.e. by first extending 
HML with a divergence modality and then refining the weak possibil- 
ity modality in the extended logic. We have the following findings: A. 
extending HML with a new divergence modality one obtains a new logic 
which characterizes complete weak bisimilarity, an equivalence relation 
with distinguishing power in between weak bisimilarity and branching 
bisimilarity with explicit divergence; B. further extending the obtained 
logic by refining the weak possibility modality in it one obtains another 
logic which characterizes branching bisimilarity with explicit divergence. 
As main results of the paper, the logic in A. provides a modal character- 
ization for complete weak bisimilarity, and moreover the two new logics 
in A. and B. are both sub-logics of the known logic obtained in above 3. 


1 Introduction 


Weak bisimilarity is a popular equivalence relation introduced by Milner [9]. It is 
defined through the notion of weak bisimulation which was proposed by Milner 
[9] based on an idea independently discovered by van Benthem [4] and Park [8]. 
The importance of weak bisimulation is that it not only defines an equivalence 
relation but also provides a verification technique for the equality. A well-known 
theoretical result for weak bisimilarity is that the equivalence is characterized 
by a modal logic which is known as Hennessy-Milner logic (HML) [2] in the 
following sense: two processes are equivalent with respect to weak bisimilarity if 
and only if they satisfy exactly the same set of HML formulas. 
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Because weak bisimilarity does not preserve divergence, i.e. it is possible for 
two equivalent processes that one of them is capable of endless internal computa- 
tions while the other is not, various divergence preserving versions of weak bisim- 
ulation equivalences and pre-orders are studied later [1,3,5,13]. Complete weak 
bisimilarity is a newly proposed divergence preserving weak bisimulation equiv- 
alence [10]. Like weak bisimilarity, complete weak bisimilarity is supported by 
a bisimulation verification technique called inductive weak bisimulation, which 
can be very helpful in practical verification that concerns divergence. One of the 
main aims of this paper is to find a modal logic which characterizes complete 
weak bisimilarity just as HML characterizes weak bisimilarity. 

We will put our study into a more general context. The study of modal logics 
and various bisimulation equivalences so far shows the following progression 
which reveals the co-related increase for the expressive power of the logics and 
the distinguishing power of the equivalences: 


1. Weak bisimilarity is characterized by HML which is a simple propositional 
modal logic with a weak possibility modality [2]; 

2. Extending HML by refining the weak possibility modality one obtains a logic 
which characterizes branching bisimilarity [5,6], a refinement of weak bisim- 
ilarity proposed in [12], 

3. Further extending the logic with a divergence modality one obtains a logic 
which characterizes branching bisimilarity with explicit divergence [13], a 
refinement of branching bisimilarity proposed in [12]. 


In this paper, we explore the development by exchanging the order of 2 and 3, 
i.e. by first extending HML with a divergence modality and then refining the 
weak possibility modality in the extended logic. We have the following findings: 


A. Extending HML with a new divergence modality one obtains a logic which 
characterizes complete weak bisimilarity, an equivalence relation with distin- 
guishing power in between weak bisimilarity and branching bisimilarity with 
explicit divergence; 

B. Further extending the obtained logic by refining the weak possibility modality 
in it one obtains another logic which characterizes branching bisimilarity with 
explicit divergence. 


To summarize the results of the paper: 


— The above A. is the wanted result of modal characterization of complete weak 
bisimilarity. 

— The two new logics in A. and B. are both sub-logics of the known logic men- 
tioned in above 3, hence showing a clear picture of the sub-logic relationships 
of the corresponding characterization results. 

— For finite-state systems, we also use the modal characterization to show a 
reduction from the problem of checking equality of complete weak bisimilar- 
ity to the problem of checking equality of ordinary weak bisimilarity, thus 
provide a decision procedure for the problem of checking equality of finite- 
state systems with respect to complete weak bisimilarity. 
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The rest of the paper is organized as follows. Section2 presents the defini- 
tions of the equalities, i.e. weak bisimilarity, complete weak bisimilarity, branch- 
ing bisimilarity, and branching bisimilarity with explicit divergence. Section 3 
studies the relationships of the modal logic characterizations of the equalities. 
Section 4 studies reductions for decision problems concerning finite-state pro- 
cesses. Section 5 concludes. 


2 Bisimulations and Divergence 


In this section, after settling some necessary preliminaries, we introduce the main 
equivalence relation, i.e. complete weak bisimilarity, together with some related 
equivalences like branching bisimilarity and branching bisimilarity with explicit 
divergence. 


Definition 1 (Labeled transition systems). A labeled transition system (or 
LTS) is a triple A = (S, A, —) where: 


- S is a set of states, A is a set of actions, —+C S x (AU{r}) x S is the 
transition relation. 7 is the silent action which is assumed not in A. An 
element (s,a,t) of —, usually written as s = t, is called a transition; 

— A finite run of A is a finite, nonempty alternating sequence of states and 
actions: p = 89Q081Q1..-.8n—1An—18n Which begins with a state and ends 
with a state, such that for 0 < i < n, si = si41. We also say that p is a 
finite run from so to Sn; 

— For p = 89098101 . . . Sn—-1Qn—1Sn, define Act(p) = agay...Qn—1, and 
length(p) = n; 

— An infinite run of A is an infinite, alternating sequence of states and actions: 
P = 8909811... which begins with a state, such that for all fori =0,1,..., 
si = sis1. We also say that p is an infinite run from so; 

— A (finite or infinite) T-run of A is a (finite or infinite) run of A in which all 
actions are T’s. 


For a finite sequence of actions | € (AU {r})*, let T € A* be the sequence 
obtained by deleting all 7’s from l. 

We use standard notations for multi-step 7 transitions, and the so-called 
double-arrow transitions: write s => s’ if there is a finite 7-run from s to 9’; 
write s = s’ if there exist t,t’ such that s —> t,t > t,t! => s’. Note the 
important difference between s —> s’ and s => s’: the former means that from 
s to s’ there is a finite T-run (could be a T-run with zero length), while the latter 
means that from s to s’ there is a finite 7-run with non-zero length. Thus s => s 
holds for all s € S, while s => s holds only when s is on a T-loop consisting of 


one or more 7-transitions. Also for l € (AU {r})* we will write s = s! if there 
is a finite run p from s to s’ with Act(p) = l. Note that s => s’ means exactly 
s => s’, where € is the empty string. 

Next, we review the well-known notions of weak bisimulation, weak bisimi- 
larity [9], and branching bisimulation, branching bisimilarity [12]. 
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Definition 2 (Weak and branching bisimulations). Let A = (S, A, —>) be an 
LTS. A binary relation RCS x S is a weak bisimulation if it is symmetric and 
moreover for all (s,t) € R the following holds: 


whenever s — s', then there exists t! such that t Ê Y and (S, t) ER. 


A binary relation RC S x S is a branching bisimulation if it is symmetric and 
moreover for all (s,t) € R the following holds: 


whenever s > s', then either a = T, and there exists t such that t => t 
and (s,t’),(s’,t’) € R, or there exist t,t” such that t => t,t “> t" and 
(s,t’), (s’,t”) ER. 


Now define two relations ~, %, as follows: 


~x =U{R| Ris a weak bisimulation}, 
=p = U{R| R is a branching bisimulation}. 


The notions of weak and branching bisimulations enjoy some nice properties 
as stated in the following Lemmas1 and 2, which then lead to the important 
Theorem 1 that justifies Definition 2. 


Lemma 1. If {R; |i € I} is a set of weak bisimulations, then U{R; | i € I} 
is a weak bisimulation. If {R; |i € I} is a set of branching bisimulations, then 
U{R; |i € I} is a branching bisimulation. 


For two binary relations R1, R2, we write R, - R2 for the composition of Rı 
and Rə, i.e. Ry - Ro = {(s,t) | du.(s,u) € Ri, (u,t) € Ro}. 


Lemma 2. If R,, Ro are weak bisimulations, then Rı - Rə U Rə - Rı is also a 
weak bisimulation. If Ri, Ro are branching bisimulations, then Ry - Rə U Rə- Ry 
is also a branching bisimulation. 


The proofs of the above two lemmas directly follow from Definition 2 (Note 
that we modified the conditions for branching bisimulation as in [11]). With the 
above two lemmas, it is routine to prove the following theorem, which justifies 
the definitions of ~ and xp. 


Theorem 1. ~ is an equivalence relation, and it is the largest weak bisimula- 
tion. X, is an equivalence relation, and it is the largest branching bisimulation. 


With Theorem 1, ~ and œ, are usually called weak bisimilarity and branching 
bisimilarity respectively. 

It is well-known that neither ~ nor ~, preserves divergence, i.e. it is possible 
for two states s and t such that s ~ t while there is an infinite 7-run from s but 
no infinite 7-run from t. 

In order to obtain divergence preserving relations, we can adopt the approach 
used in [12] by introducing the following definition. 
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Definition 3 (Weak and branching bisimulation with explicit divergence). Let 
A = (S, A, —) be an LTS. A state s E S is said divergent with respect to an 
equivalence relation =, written s f=, if from s there is an infinite T-run p such 
that all the states on p are =-equivalent to s. 

An equivalence relation = on S is called a weak bisimulation with explicit 
divergence if = is a weak bisimulation and moreover whenever s = t it holds that 
s t= if and only if t f=. 

An equivalence relation = on S is called a branching bisimulation with 
explicit divergence if = is a branching bisimulation and moreover whenever s = t 


it holds that s N= if and only if t f=. 


Now define two relations wo, wo as follows: 
xô = {= | = is a weak bisimulation with explicit divergence}, 
xe =U{= | = is a branching bisimulation with explicit divergence}. 


x^ and xe are called weak bisimilarity with explicit divergence and branching 


bisimilarity with explicit divergence respectively. 


At this point, let us see a non-trivial example of branching bisimulation with 
explicit divergence. Define =sc, the strongly connected relation, such that s =se t 
if and only if s => t and t => s. That is s =,. t just in case s and t can reach 
each other by performing 7 actions. It only takes a second to check that =se is 
an equivalence relation. Moreover we have: 


Proposition 1. =,, is a branching bisimulation with explicit divergence. 


The following lemma is easy to prove. 


Lemma 3. If= is a weak bisimulation with explicit divergence, then = preserves 
divergence, i.e. whenever s = t then there is an infinite T-run from s if and only 
if there is one from t. 


With this lemma, we can show that ~^ preserves divergence as follows. If p is an 
infinite r-run from s and s 4 t, then there is a weak bisimulation with explicit 
divergence = such that s = t, then by Lemma3 there is an infinite 7-run from t, 
thus ~^ preserves divergence. One is tempting to say that with Lemma 3, +“ 
obviously preserves divergence, since ~“ is a weak bisimulation with explicit 
divergence. However, to apply Lemma 3 in this way, we first have to prove that 
x“ is a weak bisimulation with explicit divergence, and at least for the moment 
we do not know if this is indeed the case. 

Thus, as the definitions of ~ and %, are justified by Theorem 1, the definitions 
of ~^ and a also need justification. That is to say we need to confirm that ~“ 
as defined is indeed the largest weak bisimulation with explicit divergence and, 
=e the largest branching bisimulation with explicit divergence (as it is stated 
in the definition we even do not know whether ~“ and xs are equivalence 
relations!). But this time the task is not as easy, since we no longer have the 
corresponding lemmas available as Lemmas 1 and 2 for Theorem 1. As a matter of 
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fact this implies that we do not know whether the notion of weak bisimulation 
with explicit divergence is a fixed-point of some monotonic functions on the 
complete lattice of equivalence relations, and hence the Knaster-Tarski fixed- 
point theorem is not applicable in this case. Thus we need to find a different 
way to justify Definition 3. For the time being we have the following obvious 
lemma, which clarifies the justification task. 


Lemma 4. xô E) is the largest weak (branching) bisimulation with explicit 
divergence if and only if the largest weak (branching) bisimulation with explicit 
divergence exists. 


Justification of the definition of xe can be found in [13,14], while not in 
[12] where it was introduced the first time. While a justification for xs might 
be taken as granted, a justification for ~* may seem to be more necessary. 
This is because in a weak bisimulation equivalence relation, unlike branching 
bisimulation, an infinite 7-run from a process may be matched by an infinite 
T-run from a related process in a way that the sequences of equivalence classes 
passed through by the two runs may not be the same. So one needs to be more 
careful in dealing with ©“. According to Lemma 4, in order to prove that ~^ 
is a weak bisimulation with explicit divergence we only need to show that the 
largest weak bisimulation with explicit divergence exists. This approach was 
taken in [10], where two relations called complete weak bisimilarity and complete 
branching bisimilarity were constructed and proved to be the largest weak bisim- 
ulation with explicit divergence and largest branching bisimulation with explicit 
divergence respectively. In this paper, for self containment we will present a 
justification of the definition of =“ in the next section, by using the logical 
characterization result. For the convenience of names, in the paper we will freely 
use the name of complete weak (branching) bisimilarity as synonym for weak 
(branching) bisimilarity with explicit divergence. 


3 Modal Characterization 


The main aims of this section is to look for a modal logic characterization of 
complete weak bisimilarity ~“, and study its relationship with logic characteri- 
zations of other bisimulation equivalences. For that, we first review some of the 
existing logic characterization results. 

In [2] a modal logic, later known as Hennessy-Milner logic (HML), was intro- 
duced and proved that two given processes are equivalent under weak bisimu- 
larity ~ if and only if they satisfy the same set of HML formulas. This is the 
so-called Hennessy-Milner theorem. The key constructor in HML is the weak 
possibility modality ((u))F’, which asserts that after the observation of u some 
state with property F is reached. In [6], the weak possibility modality was refined 
to an until modality in the form of F(a) F2, meaning that there is a finite 7-run 
such that all the states on it satisfy F,, and the last state can perform an a action 
and arrives at a state satisfying F2, and it was proved that the refined logic char- 
acterizes branching bisimilarity ~», just as HML characterizes weak bisimilarity. 
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n [5] the weak possibility modality was refined to a just-before modality in the 
form of Fi {a}F2, meaning that there is a finite 7-run such that the last state 
satisfies F, and can perform an a action and arrives at a state satisfying Fh, 
and it was proved that the refined logic, named jy, also characterizes branching 
bisimilarity ~p. In [13], jẹ was further extended to the logic Da with a diver- 
gence modality in the form of AF, meaning that there is an infinite -run on 
which eventually all the states satisfy F', and it was proved that Da, characterizes 
branching bisimilarity with explicit divergence xô, 

As the starting point of the work of this paper, we describe a modal logic 
HMLbA which is basically D with a derived operator ((u)). The set of formulas 
of HMLbA is defined by the following syntax of BNF rules: 


= Mer Ki|-F|Fi{u} F| (u) FIAF 


where I is an index set which could be infinite, {u} (with u € AU {e}) is the 
just-before modality introduced in [5], Ku} is the usual weak possibility modality 
as in [9], and A is the divergence modality introduced in [13]. 


Definition 4. Let A = (S, A,—>) be an LTS. The satisfaction relation = 
between states and formulas of HMLbA is defined by induction on the struc- 
ture of formulas as follows: 


1. s H| Aer Uf, for allie I, s Fi; 

2. s = nF if s F does not hold; 

3. s | Fi{u}F if there exist t,t! € S such that t — Fi, t — Fo, s = >t and 
(ts t (when u € A) ort — t (when u = e)) or there is t € S such that 
tH Fi, tH Fo, s t andu = €; 

4. s H (u))F if there ist € S such that s 5 t and t = F; 

5. s | AF if there is an infinite T-run o from s such that 0 = STS1T82... SiT. 


and there is n > 0 such that s; = F for alli > n (in other words, there are 
only finitely many positions on o where F does not hold). 


First note that this logic can express some interesting properties of infinite 
behaviours of processes. For example, Atrue asserts the existence of an infinite 
T-run, where true is a short hand for N;eg Fi (which is the first formula of 
HMLDA according to the BNF rules). The lae is basic, however it might be 
more expressive than one expect due to the use of infinite conjunction with the 
construction /\,-; F; when I is an infinite set. 

As usual we will write binary conjunction F; A F for A ie {1,2} F;, and binary 
disjunction F} V Fp for ~ Niet, aF;. For two HMLbA formulas F}, F2, we say 
that F; and F> are equivalent logic formulas, written F, <= F>, if for any process 
s of any LTS it holds that s = F; if and only if s = F>. 

The following proposition shows that ((u)) is a derived operator in the sense 
that it can be defined in terms of the just-before operator {u}. 
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Proposition 2. For any HMLbA formula F and a #7, the following equiva- 
lences hold: 


1. (eF & true{e} F; 
2. (a) F & true{a}(true{e}F). 


Proof. Immediately follows from Definition 4. 


We write HMLb for the sub-logic of HMLbA which consists of formulas con- 
structed without the divergence modality A. Then HML, the normal Hennessy- 
Milner logic, is a sub-logic of HMLb consisting of formulas constructed without 
the just-before modality {u}. With the result in Proposition2 that ((u)) is a 
derived operator of {u}, then the following is a theorem which immediately 
follows from the characterization result for Da in [13]. 


Theorem 2 (HMLbA characterization of xe). Let s,t be two states. Then 
s xe t if and only if s and t satisfy the same set of HMLbA formulas. 


Likewise, the following is a theorem immediately follows from the character- 
ization result for ja in [5]. 


Theorem 3 (HMLb characterization of ~,). Let s,t be two states. Then s =, t 
if and only if s and t satisfy the same set of HMLb formulas. 


The following is the famous Hennessy-Milner theorem, which can be found 
in Chap. 10 of [9]. 


Theorem 4 (HML characterization of ~). Let s,t be two states. Then s x t if 
and only if s and t satisfy the same set of HML formulas. 


The last three theorems give modal logic characterizations for =i, =, and 
~ respectively, still missing is a modal logic characterization for ~ê. Consider- 
ing that HMLb is the extension of HML by the just-before modality and that 
HMLDA is the extension of HML by the just-before and the divergence modal- 
ity, an obvious attempt is to extend HML with the divergence modality and 
hopefully that will give us a logic which characterizes ~“. However it turns out 
that the divergence construction AF is not preserved by ~ô, as the following 
example shows. 


T 
T 
T T T T 
S1 >| 82 >| 83 >| S4 mEEEETT] 
a 
T 


T 

So > 

ao a2 a3 a4 
T 

to 


©) sO a aaa a noe 


ao ay a2 a3 a4 
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Example 1. The drawing shows an LTS P = (S, A, —) where A = {a; |i > 0}, 
S = {s;|i>0}U {t; |i > 0}, and the transition relation is as follows: 


— for each i > 0, if 2 is even then there are exactly three transitions out of s;: 
ay a T 
Si —> Si, Si — $341, Si — Si+2; 
if ¿ is odd then there are exactly two transitions out of s;: 
ay i 
Si — Si, Si — Sj4+1.- 
— for each i > 0, there are exactly two transitions out of ¢;: 


ti Æ titi ta: 
Now define = to be the following relation: 
{(si si) |i > O}U {(t;, ti) |i > 0}U{(si ti) |i > O} U {(t;, si) |i > 0}. 
The following facts about = are easy to verify: 
is an equivalence relation; 
is a weak bisimulation; 


. for every s € S, whenever s — t then s Æ t. Hence whenever s = t then 
s T= if and only if t f=. 


e 


Thus = is a weak bisimulation with explicit divergence, and sọ ~^ to. In the 
following we show that there is an HML formula F such that AF is satisfied by 
so and not by to. 

Let Fk be the following formula: 


((azx))true A (azk+1Ņtrue) V (~ak true A a(a2%41))true). 


That is, Fy asserts that the pair of actions a2, and azķ+}1 are either both 
enabled or both disabled. It is clear that Fk holds for every state of 5 except 
S2k+1 and tək+1. Thus A{ Fy | k > 0} holds on every even numbered position 
(i.e. so, to, $2, t2,...) while does not hold on every odd numbered position (i.e. 
$1, t1, $3, t3,...). 

Now A A {Fr |k > 0} is satisfied by so but not by to. To see that, note that 
from so there is an infinite T-run o = SoTSoT... S27... and every state on a 
satisfies \{F, | k > 0}, while the only infinite 7-run from fo is to7tiT..., on 
which there are infinitely many states that do not satisfy A{F, | k > 0}. 


Thus, we need to find a different divergence modality. For that we introduce 
the weak divergence modality A, into HMLbA, by extending the BNF rules as 
follows: 

Pi=...| AF. 


And then add the following interpretation into Definition 4. 


6. s H A.F if there is an infinite 7-run ø from s such that for every state s’ on 
o it holds that s => t for some t = F. 
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The following is a depiction of the condition for s = A. F. 


Proposition 3. For any HMLbA formula F, the following equivalence holds: 
AF & A((e))F. 


Proof. Immediately follows from Definition 4 together with the above interpre- 
tation for A.F’. 


This proposition shows that A, is a derived operator of A and ((e)), and 
that with A, added into HMLbA the expressiveness of the extended logic does 
not increase. So we still call the logic HMLbA after extending with A<, and we 
write HMLA, for the sub-logic where the only modalities allowed are the weak 
possibility modality ((u)) and the weak divergence modality Ae. With the new 
divergence modality we can obtain another sub-logic HMLbA, in which A, is 
allowed but not A. 

Given a sub-logic L of HMLbA, it induces an equivalence relation =; on 
states such that s =, tif and only if s and t satisfy the same set of formulas in the 
sub-logic. We call =; the equivalence induced by L. The following is a summary 
of the sub-logics of HMLbA that we concerned about and the corresponding 
induced equivalences: 


1. Let =F be the equivalence induced by HMLbA; 
2. Let =, be the equivalence induced by HMLb; 
3. Let = be the equivalence induced by HML; 
4. Let =“ be the equivalence induced by HMLA;; 
5. Let =z“ be the equivalence induced by HMLbA,. 
In the rest of this section we will show that HMLA, characterizes ~ô, i.e. 
xô coincides with =“, To prove SACA, we show that for every weak bisim- 


ulation with explicit divergence = it holds that =C=ô< (Lemma 5). To prove 
=“°Cx“, we show that =ô% is a weak bisimulation with explicit divergence 
(Lemma 8). 

Example 1 shows what AF is not preserved by xô, while the following lemma 
guarantees that A.F is preserved by xô. Here we omit the proof. 


Lemma 5. Let = be a weak bisimulation with explicit divergence, F be an 
HMLA: formula. If s = t ands = F, then t = F. Thus if = is a weak bisimu- 
lation with explicit divergence then =C=0<. 
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Lemma 6. Let s => t. Then 


1. whenever t = Fi {u}F2 then s — Fi {u} Fo; 
2. whenever t — (u))F then s — (u)) F; 
3. whenever t |= AF then s = A.F. 


Proof. We only prove 3. With the similar idea we can prove 1 and 2. 

Suppose t E A.F. Thus from ¢ there is an infinite 7-run p such that for each 
state t on p there exists t” with t => t” and t” = F. Now since s => t, by 
adding a prefix to p we can easily obtain an infinite run p’ with starting state s 
such that for each state t’ on p’ there exists t” with t => t” and t” — F, hence 
s H AF. 


The following is the so-called stuttering lemma for =< 


Lemma 7. If s => s',s’ => t, and s =ô" t then s =< 


Proof. In this case we only need to prove the following: for any HMLA, formula 
F, it holds that s = F if and only if s’ =} F. We carry out the proof by induction 
on the structure of F. 

For Nier Fi, we have the following sequence of equivalences: s = Ner Fi 
iff s H F; for every i € I (by definition of =) iff s’ E F; for every i € I (by 
induction hypothesis) iff s’ = N;ez Fi (by definition of =). In the same way we 
can prove it for the case ~F. 

For ((u))F, suppose s  ((u))F. Then t  ((u))F by s =< t, then it imme- 
diately follows that s — ((u))F by s’ => t and Lemma6. On the other hand, 
suppose s’ — ((u))F, then s H ((u))F immediately follows by s => s’ and 
Lemma 6. In the same way we can prove it for the case A.F. 


Lemma 8. =< is a weak bisimulation with explicit divergence. 


Sw 


Proof. To prove that =ô!« is a weak bisimulation with explicit divergence, we 
P w g 


need to establish the following: 


1. =< is an equivalence relation; 
2. =ô! is a weak bisimulation; 


r 
3. if s =< t, then s fase iff t hace. 

It is obvious that =“+ is an equivalence relation. The way to prove that =“ 
is a weak bisimulation is exactly the same as the way to prove that =,, is a weak 
bisimulation [9]. We prove 3. in the following. 

First, let us note that for a pair of states s,t with s #4« t, by the definition 
of =ô" there exists an HMLA; formula F$, which is often called a distinguishing 
formula of s and t, such that s = FF and t jE Fŝ. 

Suppose s =“ t, and s fare then there is an infinite 7-run p from s with 


all the states on it =“«-equivalent to s. We construct the following formula F’* 


{Fi t = wu Ae 5}. 
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Clearly s = F'*. Moreover s H A.F’, since for any state s’ on p, there is s” such 
that s’ => s” and s” H F° (just take s” to be s’, thus s’ => s’, and s’ — F° by 


s! =^" s). Now because t =< s, thus t = A.F. In the following we will show 
that t = A-F* implies t fae. 


wW 
Since t = A, F5, there is an infinite 7-run o from t such that for any state t’ 
on o there exists t” with t => t” and t” = F5. Now we will show that if t’ is a 


state on p then t =ô" t. 
Note that the construction of F° guarantees the following property: 


if t => t and t' H F® then t =*< t. 


To see that, let t > t’. Suppose t #6" t, then t 44+ s, which implies t 4 F° 
because in this case F$, which is a distinguishing formula of s and t’, is one of 
the conjuncts of F5, and t A Fj. 

Now for any state t’ on o, since t => t and t => t” for some t” with 
t” H F°, and by the above property of F° we know that t” =< t, then by 
Lemma 7 t’ =ô" t, thus ø is the infinite r-run that we are looking for. 


At last, we can state the modal characterization theorem for xô. 


Theorem 5. (HMLA, characterization of xÂ) = «coincides with xÂ, that is 
for any pair of states s and t, s * t if and only if s and t satisfy the same set 
of HMLA, formulas. 


—A 


Proof. By Lemma5, »*C=“*, and by Lemma8 =ô! is a weak bisimulation 


wi? 


with explicit divergence, hence =0«Cx*. 


And at the same time we obtain the following theorem which justifies the 
definition of xô. 


Theorem 6. ~^ is a weak bisimulation with explicit divergence, and it is the 


largest weak bisimulation with explicit divergence. 


Proof. By Lemmas5 and 8, =ô% is the largest weak bisimulation with explicit 
divergence. By Theorem 5 ~* is the same as =<, hence = is the largest weak 
bisimulation with explicit divergence. 


Perhaps a little surprise is the following new modal characterization result 
A dee : Sat fae A 
for branching bisimilarity with explicit divergence ~,. 


Theorem 7 (HMLbA, characterization of x). Let s,t be two states. Then 
s xi t if and only if s and t satisfy the same set of HMLbA, formulas. 


Proof. Here we give the following sketch. 

Suppose s =S t and s = F for some HMLbA, formula F, just note that by 
Proposition 3 there is an HMLbA formula F” with F’ = F, then s = F” and by 
Theorem 2 t = F” thus t — F. 


For the other direction, we prove that = 


G 


is a branching bisimulation with 


€ 


explicit divergence. We can prove that => is a branching bisimulation in the 
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same way to prove that =», is a branching bisimulation as the proof of Theorem 3 
in [5]. Suppose s a t and there is an infinite 7-run from s with all the states 
on the run in the same =(+-equivalence class of s, we can prove that there is an 
infinite 7-run from t with all the states on the run in the same =^* -equivalence 
class of t as we prove it for =ô< in Lemma 8, with the help of a lemma similar 


=y 


to Lemma 7 with = in place of =“. 


By Theorems2 and 7, HMLbA and HMLbA, both characterize rae Now 
the results about the relationships of various bisimulation equivalence relations 
and the logics can be summarized as the above lattice shaped diagrams, where 
on the left the equality on the higher end of an edge is included in the equality 
on the lower end of the edge, and on the right the logic on the lower end of an 
edge is a sub-logic of the one on the higher end of the edge, and the dotted lines 
represent the logic characterization results. 


4 Divergence in Finite State Systems 


The motivating problem of this section is the problem of checking complete weak 
bisimilarity for finite-state processes: 


given an LTS (S, A, —) and two states s,t € S, where S and A are finite 
sets, decide whether s xô t. 


We will show that this problem can be solved by reducing it to the problem of 
checking weak bisimilarity for finite-state processes which can be solved by a 
well-known partition algorithm [7]: 


given an LTS (S, A, —) and two states s,t € S, where S and A are finite 
sets, decide whether s 7% t. 


The reduction is as follows. Let P = (S, A, —>) be a finite-state labeled 
transition system, i.e. both S and A are finite sets, ô be an action not in A. Then 
we can construct a new finite-state LTS Ps = (S, A, —") where S = {8|s € S}, 
A= AU {5}, —'= {(8,a, 8) | s = s'} U{(8, 6, 8) | s = s}. 
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The idea of the reduction is pretty straightforward: in a finite-state system, 
the existence of an infinite 7-run from a state s is equivalent to the existence of 
a so-called looping state s' such that s => s’ and s’ => s’, and then the looping 
states can be marked by a particular new action 6. Thus the transitions of the 
constructed system Ps is like the original system P except that every looping 
state s is indicated by a new transition § ŽŽ, '8. In the following when there will 
cause no confusion we will simply write ê > ¢ instead of § > 'f for s,t € S. 

Now to complete the reduction, we will show that for any s,t € S, it holds 
that s ~ô t if and only if ê = £. Then in order to check whether s =“ t we only 
need to check whether § ~ f. For any s,t € S, in order to show that s =“ t 
if and only if § ~ f, we can show that =C S x S is a weak bisimulation with 
explicit divergence if and only if = = {(8,t) | s = t} is a weak bisimulation. 
However, with the logic characterization results of the last section, here we will 
take a different approach which reveals essential properties of the reduction 
construction as stated in the following Theorems 8 and 9 and allows us to obtain 
more general results as stated in the following Theorem 10. 

We define a translation function — which maps every HMLbA formula F to 
another HMLbA formula F. The function is inductively defined on the structure 
of the formula as follows: 


Aer = Niet =F =F 
Fi{u}F> = Fi{u} F (u pa ô) Fi{ô} Fo = true 
(u)F = (u)F (uA 0) (9) F = true 
AF = true{ô} F AF = ((6))F 


Theorem 8. IfF is an HMLbA formula, then F is an HMLb formula. Moreover 
if F is an HMLA, formula, then F is an HML formula. 

For a finite-state LTS P = (S,A,—), let Ps = (S,A,—’) be the finite- 
state LTS constructed above, s € S. Then for any HMLbA formula F, it holds 
that s | F if and only if ê & F. 


The proof, which is omitted here, is a routine induction on the structure of the 
formulas. Here we just explain the idea behind the translation function — from 
which one can see the rationale behind Theorem 8. The key is to understand 
why F{6}F> is translated to —true. As we have pointed out above, 6 is an 
action which is not in A and which is used in the reduction to mark divergence. 
That implies that any process s from P is not capable of an 6 action, hence the 
property F{d}F> will never be satisfied by any process from P. That is why 
F {6} is translated to strue. For the same reason ((6)) F is also translated to 
true. 

Also, we can define a translation function _ which maps every HMLb formula 
F to an HMLbA formula F. The function is inductively defined on the structure 
of the formula as follows: 


Nier Fi = Mier Fi ak Smak 


(u)F = (uF (u #9) (9) F = AF 
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Theorem 9. /f F is an HMLb formula, then F is an HMLbA formula. Moreover 
if F is an HML formula, then F is an HMLA, formula. 

For a finite-state LTS P = (S,A,—), let Ps = (S,A,—’) be the finite- 
state LTS constructed above, s € S. Then for any HMLb formula F, it holds 
that s =| F if and only if 8 = F. 


Now we obtain the following theorem which guarantees the correctness of 
our reduction. 


Theorem 10. For a finite-state LTS P = (S, A —>), let Ps = (8, A, —’) be 
the finite-state LTS constructed above. Then for s,t € S: 


1 amA t if and only if ê ~ t; 
2. sue t if and only if ê œ, t. 


Proof. Here we only prove 1. The way to prove 2. is the same. Since ~“ coin- 


cides with =i and ~% coincides with =,,, to prove 1. we only need to prove that 
s =“ t if and only if =, #. 

Suppose s =ô. t. If § = F for some HML formula F, then by Tipare 9, F 
is an HMLA: formula and s = F. Then by the condition that s =ô« t, we have 
t | E, and again by Theorem 9, ¢ E F. Thus ê =, ĉ. 

Suppose § =, t. If s E F for some HMLA; formula F, then by Theorem 8, 
F is an HML T and § |= F. Then by the condition that § = Ê, we have 
f= F, and again by Theorem8, t = F. Thus s =< t. 


Theorem 8 also suggests a simple solution to the model checking problem for 
HMLbA (which can have many solutions). The model checking problem here is 
to ask, for any given state s of a fnite-state LTS P and any given finite HMLbA 
formula F (finite in the sense that only finite conjunctions are allowed in F), 
how to decide whether s — F holds or not. By Theorem 8, this problem can be 
reduced to the problem of deciding if § E F holds or not, which comes with 
simple decision procedures because here § is a state in the finite-state LTS Ps 
and F is a finite HMLb formula. 


5 Conclusion 


To summarize, by introducing a new divergence modality, the weak divergence 
modality A., we obtain logic characterization results for two divergence sensitive 
bisimulation equivalence relations. One is the first modal logic characterization 
for complete weak bisimilarity ~*, and the other is a new modal logic character- 
ization for branching bisimilarity with explicit divergence + =s, With these new 
characterization results we showed a clear picture of the sub-logic relationships 
of various logic characterization results. By using these new characterization 
results, we provide reductions from the divergence sensitive equality checking 
problems and model checking problems to the divergence blind equality check- 
ing problems and model checking problems respectively for finite-state systems. 
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Complete weak bisimilarity ~Â was first defined in [10], which is a refinement 
of weak bisimilarity ~ [9] by taking divergence behavior into account. Since 
this is a relatively new equivalence relation, the logic characterization problem 
and equality checking problem for finite-state systems have not been treated 
before this paper. The relation nO was defined in [12] which is a refinement of 
branching bisimilarity ~, [12]. In [15], the equality checking problem of stutter 
equivalence on Kripke structures is solved by a reduction to the equality checking 
problem of divergence blind stutter equivalence problem. Stutter equivalence 
and divergence blind stutter equivalence are the Kripke structure versions of 
branching bisimilarity with explicit divergence and branching bisimilarity. The 
reduction presented in Sect. 4 is inspired by the reduction in [15]. 

The study of modal logic characterization of bisimulation equivalence rela- 
tions was initiated by Hennessy and Milner in [2]. For branching bisimilarity, 
modal characterization results were studied in [5,6], where different modalities 
for branching structures were used. In [6], besides the extension of Hennessy- 
Milner logic with the until operator mentioned earlier in the paper, two other 
logics were proposed to characterize branching bisimilarity. One is another exten- 
sion of Hennessy-Milner logic which exploits the power of backward modalities. 
The other is CTL* without the next-time operator interpreted over all paths, 
not just over maximal ones. In [13] a modal logic was proposed to character- 
ize branching bisimilarity with explicit divergence by combining modalities for 
branching bisimilarity in [5] and a divergence modality A. In [14], an extension of 
CTL* without the next operator is proposed which also characterizes branching 
bisimilarity with explicit divergence. 
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Abstract. We show that call-by-need is observationally equivalent to 
weak-head needed reduction. The proof of this result uses a semantical 
argument based on a (non-idempotent) intersection type system called V. 
Interestingly, system V also allows to syntactically identify all the weak- 
head needed redexes of a term. 


1 Introduction 


One of the fundamental notions underlying this paper is the one of needed reduc- 
tion in A-calculus, which is to be used here to understand (lazy) evaluation 
of functional programs. Key notions are those of reducible and non-reducible 
programs: the former are programs (represented by A-terms) containing non- 
evaluated subprograms, called reducible expressions (redexes), whereas the lat- 
ter can be seen as definitive results of computations, called normal forms. It 
turns out that every reducible program contains a special kind of redex known 
as needed or, in other words, every A-term not in normal form contains a needed 
redex. A redex r is said to be needed in a -term t if r has to be contracted 
(i.e. evaluated) sooner or later when reducing t to normal form, or, informally 
said, if there is no way of avoiding r to reach a normal form. 

The needed strategy, which always contracts a needed redex, is normalis- 
ing [8], i.e. if a term can be reduced (in any way) to a normal form, then con- 
traction of needed redexes necessarily terminates. This is an excellent starting 
point to design an evaluation strategy, but unfortunately, neededness of a redex 
is not decidable [8]. As a consequence, real implementations of functional lan- 
guages cannot be directly based on this notion. 

Our goal is, however, to establish a clear connection between the semantical 
notion of neededness and different implementations of lazy functional languages 
(e.g. Miranda or Haskell). Such implementations are based on call-by-need cal- 
culi, pioneered by Wadsworth [20], and extensively studied e.g. in [3]. Indeed, 
call-by-need calculi fill the gap between the well-known operational semantics of 
the call-by-name A-calculus and the actual implementations of lazy functional 
languages. While call-by-name re-evaluates an argument each time it is used —an 
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operation which is quite expensive- call-by-need can be seen as a memoized ver- 
sion of call-by-name, where the value of an argument is stored the first time it is 
evaluated for subsequent uses. For example, if t = A (I I), where A = \x.a z and 
I = Xz.z, then call-by-name duplicates the argument J J, while lazy languages 
first reduce J I to the value J so that further uses of this argument do not need 
to evaluate it again. 

While the notion of needed reduction is defined with respect to (full strong) 
normal forms, call-by-need calculi evaluate programs to special values called 
weak-head normal forms, which are either abstractions or arbitrary applications 
headed by a variable (i.e. terms of the form z tı . . . tn where tı . . . tn are arbitrary 
terms). To overcome this shortfall, we first adapt the notion of needed redex to 
terms that are not going to be fully reduced to normal forms but only to weak- 
head normal forms. Thus, informally, a redex r is weak-head needed in a term t 
if r has to be contracted sooner or later when reducing t to a weak-head normal 
form. The derived notion of strategy is called a weak-head needed strategy, which 
always contracts a weak-head needed redex. 

This paper introduces two independent results about weak-head neededness, 
both obtained by means of (non-idempotent) intersection types [12,13] (a survey 
can be found in [9]). We consider, in particular, typing system V [14] and show 
that it allows to identify all the weak-head needed redexes of a weak-head nor- 
malising term. This is done by adapting the classical notion of principal type [17] 
and proving that a redex in a weak-head normalising term t is weak-head needed 
iff it is typed in a principally typed derivation for t in V. 

Our second goal is to show observational equivalence between call-by-need 
and weak-head needed reduction. Two terms are observationally equivalent when 
all the empirically testable computations on them are identical. This means that 
a term t can be evaluated to a weak-head normal form using the call-by-need 
machinery if and only if the weak-head needed reduction normalises t. 

By means of system V mentioned so far we use a technique to reason about 
observational equivalence that is flexible, general and easy to verify or even 
certify. Indeed, system V provides a semantic argument: first showing that a 
term t is typable in system V iff it is normalising for the weak-head needed 
strategy (t € WN ynna), then by resorting to some results in [14], showing that 
system V is complete for call-by-name, i.e. a term t is typable in system V iff 
t is normalising for call-by-name (t € WN pane); and that t is normalising for 
call-by-name iff t is normalising for call-by-need (t € WN peea). Thus completing 
the following chain of equivalences: 


t € WN wana <= => t typable in V ——=> t € WN name > t E WN neea 


This leads to the observational equivalence between call-by-need, call-by- 
name and weak-head needed reduction. 


Structure of the paper: Sect.2 introduces preliminary concepts while Sect. 3 
defines different notions of needed reduction. The type system V is stud- 
ied in Sect. 4. Section 5 extends (-reduction to derivation trees. We show in 
Sect. 6 how system V identifies weak-head needed redexes, while Sect. 7 gives a 
characterisation of normalisation for the weak-head needed reduction. Sect. 8 is 
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devoted to define call-by-need. Finally, Sect.9 presents the observational equiv- 
alence result. 


2 Preliminaries 


This section introduces some standard definitions and notions concerning the 
reduction strategies studied in this paper, that is, call-by-name, head and weak- 
head reduction, and neededness, this later notion being based on the theory of 
residuals [7]. 


2.1 The Call-by-Name Lambda-Calculus 


Given a countable infinite set X of variables x, y, z,... we consider the following 
grammar: 
(Terms) t,u ::= x E€ X | tu | dAx.t 
(Values) v::= Aa.t 
(Contexts) C:=0O]|Ct]|tC]|Az.C 
(Name contexts) E:=0]|Et 


The set of A-terms is denoted by 74. We use J, K and 92 to denote the terms 
Ax.x, Ax.Ay.x and (Ax.x x) (Ax.x x) respectively. We use C(t) (resp. E(t)) for the 
term obtained by replacing the hole O of C (resp. E) by t. The sets of free and 
bound variables of a term t, written respectively fv(t) and bv(t), are defined 
as usual [7]. We work with the standard notion of a-conversion, i.e. renaming 
of bound variables for abstractions; thus for example Az.£ Y =a Az.z y. 

A term of the form (\z.t) u is called a -redex (or just redex when ĝ is 
clear from the context) and Ax is called the anchor of the redex. The one- 
step reduction relation — (resp. —name) is given by the closure by contexts 
C (resp. E) of the rewriting rule (Av.t)u +g t{x/u}, where _{_/-} denotes 
the capture-free standard higher-order substitution. Thus, call-by-name forbids 
reduction inside arguments and A-abstractions, e.g. (Av.II) II) >, (Ax.IID)I 
and (Ax.II) (II) >g (Ax.I) (II) but neither (Ax.IT) (II) name (Av-IT) I nor 
(Av.IT) (II) name (Ax.D) (IT) holds. We write —>g (resp. —>nane ) for the reflexive- 
transitive closure of +g (resp. —name)- 


2.2 Head, Weak-Head and Leftmost Reductions 


In order to introduce different notions of reduction, we start by formalising 
the general mechanism of reduction which consists in contracting a redex at 
some specific occurrence. Occurrences are finite words over the alphabet {0, 1}. 
We use € to denote the empty word and notation a" for n € N concatenations 
of some letter a of the alphabet. The set of occurrences of a given term is 
defined by induction as follows: oc(x) = {e}; oc(tu) = {e} U {0p | p € oc(t)} U 
{1p | p € oc(u)}; oc(Ax.t) 2 {e} U {0p | p € oc(t)}. 
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Given two occurrences p and q, we use the notation p < q to mean that pisa 
prefix of q, i.e. there is p’ such that pp’ = q. We denote by t|, the subterm of t 
at occurrencep, defined as expected [4], thus for example ((Az.y) z)|o0 = y. The 
set of redex occurrences of t is defined by roc(t) = {p € oc(t) | tl) = (Av-s) u}. 
We use the notation r : t >, t’ to mean that r € roc(t) and t reduces to t’ by 
contracting the redex at occurrence r, e.g. 000 : (Ax.(Ay.y) £ £) z —>g (Ax.x x) z. 
This notion is extended to reduction sequences as expected, and noted p : t —>g 
t’, where p is the list of all the redex occurrences contracted along the reduction 
sequence. We use nil to denote the empty reduction sequence, so that nil : t >g t 
holds for every term t. 

Any term t has exactly one of the following forms: Ax,....Atp-yt 1... tm 
or Ary....AGn.(Ay.s) Ut1...tm with n,m > 0. In the latter case we say that 
(Ay.s) u is the head redex of t, while in the former case there is no head redex. 
Moreover, if n = 0, we say that (Ay.s) u is the weak-head redex of t. In terms 
of occurrences, the head redex of t is the minimal redex occurrence of the form 
0" with n > 0. In particular, if it satisfies that t|ọx is not an abstraction for every 
k < n, it is the weak-head redex of t. A reduction sequence contracting at each 
step the head redex (resp. weak-head redex) of the corresponding term is called 
the head reduction (resp. weak-head reduction). 

Given two redex occurrences r,r’ € roc(t), we say that r is to-the-left of 
r’ if the anchor of r is to the left of the anchor of r’. Thus for example, the 
redex occurrence 0 is to-the-left of 1 in the term (I x) (Iy), and e is to-the-left 
of 00 in (Ax.(I I)) z. Alternatively, the relation to-the-left can be understood as 
a dictionary order between redex occurrences, i.e. r is to-the-left of r’ if either 
r = rq with q Æ € (i.e. ris a proper prefix of r’); or r = pOq andr’ = plg’ (i.e. they 
share a common prefix and r is on the left-hand side of an application while r’ 
is on the right-hand side). Notice that in any case this implies r’ £ r. Since this 
notion defines a total order on redexes, every term not in normal form has a 
unique leftmost redex. The term t leftmost reduces to t if t reduces to t’ 
and the reduction step contracts the leftmost redex of t. For example, (I x) (I y) 
leftmost reduces to x(Iy) and (Aa.(II)) z leftmost reduces to I I. This notion 
extends to reduction sequences as expected. 


3 Towards Neededness 


Needed reduction is based on two fundamental notions: that of residual, which 
describes how a given redex is traced all along a reduction sequence, and that 
of normal form, which gives the form of the expected result of the reduction 
sequence. This section extends the standard notion of needed reduction [8] to 
those of head and weak-head needed reductions. 
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3.1 Residuals 


Given a term t, p € oc(t) and r € roc(t), the descendants of p after r in t, 
written p/r, is the set of occurrences defined as follows: 


@ifp=rorp=r0 
{p} ifr £p 
{rq} if p = r00q 
{rkq | s|k = x} if p = rlq with t| = (Av.s) u 


For instance, given t = (Auw.(Ay.x) x) z, then oc(t) = {e,0,1,00, 000, 001, 
0000}, roc(t) = {€, 00}, 00/00 = Ø, «/00 = {e€}, 00/e = {e} and 1/e = {1,00}. 

Notice that p/r C oc(t’) where r : t g t’. Furthermore, if p is the occurrence 
of a redex in t (i.e. p E€ roc(t)), then p/r C roc(t’), and each position in p/r is 
called a residual of p after reducing r. This notion is extended to sets of redex 
occurrences, indeed, the residuals of P after r in t are P/r & User p/r. In 
particular Ø/r = Ø. Given p : t >g t and P C roc(t), the residuals of P 
after the sequence p are: P/nil =P and P/rp! = (P/r) /P. 

Stability of the to-the-left relation makes use of the notion of residual: 


Lemma 1. Given a term t, let |,r,s € roc(t) such that | is to-the-left of r, s £ | 
ands:t—gt'. Then, | € roc(t’) and | is to-the-left of r' for every r' € r/s. 


Proof. By case analysis using the definition of to-the-left [15]. 


Notice that this result does not only implies that the leftmost redex is pre- 
served by reduction of other redexes, but also that the residual of the leftmost 
redex occurs in exactly the same occurrence as the original one. 


Corollary 1. Given a term t, and | E€ roc(t) the leftmost redex of t, if the 
reduction p : t —»g t contracts neither | nor any of its residuals, then | € roc(t’) 
is the leftmost redex of t. 


Proof. By induction on the length of p using Lemma 1. 


3.2 Notions of Normal Form 


The expected result of evaluating a program is specified by means of some appro- 
priate notion of normal form. Given any relation >r, a term t is said to be 
in R-normal form (NFR) iff there is no t’ such that t >r t’. A term t is 
R-normalising (WN r) iff there exists u E€ NFR such that t >r u. Thus, 
given an R-normalising term t, we can define the set of R-normal forms of t as 
nfp(t) “ {t |t >r t At E NFR}. 

In particular, it turns out that a term in weak-head (-normal form 
(WHNF g) is of the form z tı ...tn (n > 0) or Azx.t, where t,t1,...,tn are arbi- 
trary terms, i.e. it has no weak-head redex. The set of weak-head 3-normal forms 
of t is whnf g(t) #2 {t | t >g t At! E€ WHNFg}. 
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Similarly, a term in head 3-normal form (HNFg) turns out to be of the 
form Ar1....ATp.at1...tm (n,m > 0), i.e. it has no head redex. The set of head 
G-normal forms of t is given by hnf g(t) = {t |t >g t At’ € HNFg}. 

Last, any term in -normal form (NF 6) has the form Ar1....ATn.vt1...tm 
(n,m > 0) where t,...,¢m are themselves in 3-normal form. It is well-known 
that the set nf g(t) is a singleton, so we may use it either as a set or as its unique 
element. 

It is worth noticing that NFg C HNFg C WHNFg. Indeed, the inclusions 
are strict, for instance Ax.(Ay.y) z is in weak-head but not in head 6-normal 
form, while x ((Ay.y) x) z is in head but not in G-normal form. 


3.3 Notions of Needed Reduction 


The different notions of normal form considered in Sect. 3.2 suggest different 
notions of needed reduction, besides the standard one in the literature [8]. Indeed, 
consider r € roc(t). We say that r is used in a reduction sequence p iff p reduces 
r or some residual of r. Then: 


1. ris needed in t if every reduction sequence from t to G-normal form uses r; 

2. r is head needed in t if every reduction sequence from t to head -normal 
form uses r; 

3. r is weak-head needed in t if every reduction sequence of t to weak-head 
(G-normal form uses r. 


Notice in particular that nf,(t) = Ø (resp. hnfg(t) = Ø or whnf g(t) = Ø) 
implies every redex in t is needed (resp. head needed or weak-head needed). 

A one-step reduction—, is needed (resp. head or weak-head needed), 
noted —na (resp. nna OF —yhna), if the contracted redex is needed (resp. head 
or weak-head needed). A reduction sequence-»g is needed (resp. head or 
weak-head needed), noted 4 (resp. —>nna OF wna), if every reduction step 
in the sequence is needed (resp. head or weak-head needed). 

For instance, consider the reduction sequence: 


(Ay.Az.t 2 (LI, )) (PD) >na (Ay.Ax.L x, I) (I) >na (Ay.Ax.x I) (II) >na Aad 


r3 


which is needed but not head needed, since redex rı might not be contracted to 
reach a head normal form: 


(Ay.Az.L x, (TD) OI) >na (Ay.Ax.x (TD) O 1) ma Aa.x (II) 


Moreover, this second reduction sequence is head needed but not weak-head 
needed since only redex r3 is needed to get a weak-head normal form: 


(Ay.Avta(LL)) (II) Sana Av-T x (IT) 


13 
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Notice that the following equalities hold: NFna = NF, NFina = HNFg 
and NF wana = WHNF g. 
Leftmost redexes and reduction sequences are indeed needed: 


Lemma 2. The leftmost redex in any term not in normal form (resp. head or 
weak-head normal form) is needed (resp. head or weak-head needed). 


Proof. By contradiction using the definition of needed [15]. 


Theorem 1. Let r € roc(t) and p : t >g t be the leftmost reduction (resp. 
head reduction or weak-head reduction) starting with t such that t' = nf,(t) 
(resp. t' E€ hnfg(t) or t’ € whnf,(t)). Then, r is needed (resp. head or weak-head 
needed) in t iff r is used in p. 


Proof. By definition of needed using Lemma 2 [15]. 


Notice that the weak-head reduction is a prefix of the head reduction, which 
is in turn a prefix of the leftmost reduction to normal form. As a consequence, 
it is immediate to see that every weak-head needed redex is in particular head 
needed, and every head needed redex is needed as well. For example, consider: 


(Ay.Av.T a” (IT”’)) (TT*) 


ry 


where r3 is a needed redex but not head needed nor weak-head needed. However, 
r2 is both needed and head needed, while rı is the only weak-head needed redex 
in the term, and rq is not needed at all. 


4 The Type System V 


In this section we recall the (non-idempotent) intersection type system V [14] 
-an extension of those in [12,13]— used here to characterise normalising terms 
w.r.t. the weak-head strategy. More precisely, we show that t is typable in system 
Y if and only if t is normalising when only weak-head needed redexes are con- 
tracted. This characterisation is used in Sect.9 to conclude that the weak-head 
needed strategy is observationally equivalent to the call-by-need calculus (to be 
introduced in Sect. 8). 

Given a constant type a that denotes answers and a countable infinite set B 
of base type variables a, 8, Ņ,..., we define the following sets of types: 


(Types) t,0:=alaeB|M—ar 
(Multiset types) M,N ::= {ri hier where J is a finite set 


The empty multiset is denoted by {}}. We remark that types are strict [18], 
i.e. the right-hand sides of functional types are never multisets. Thus, the general 
form of a type is Mı > ... > Mn — T with 7 being the constant type or a base 
type variable. 

Typing contexts (or just contexts), written T, A, are functions from vari- 
ables to multiset types, assigning the empty multiset to all but a finite set of 
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variables. The domain of I is given by dom(I’) ¥ {x | r(x) 4 {}}. The union 
of contexts, written + A, is defined by (T + A)(x) “ r(x) U A(x), where U 
denotes multiset union. An example is (x : 4o}, y : {7})+(a: {o}, 2: {7}) = 
(x : {o,o},y : {7}, 2 : {7}). This notion is extended to several contexts as 
expected, so that +;¢;I; denotes a finite union of contexts (when J = Ø the 
notation is to be understood as the empty context). We write I \\ x for the 
context (I \ x)(x) = {}} and (I \ x)(y) =I (y) ify £ z. 

Type judgements have the form IF t: 7, where I’ is a typing context, t 
is a term and 7 is a type. The intersection type system V for the A-calculus is 
given in Fig. 1. 


PRES 
eee” P\ ab Aut: I(r) 37 


(>i) 


Tht: f{oiier 97 (Aitu:oaijier 
———— (val) (>e) 
F Aàgz.t:a I t+ier Aik tu:T 


Fig. 1. The non-idempotent intersection type system V. 


The constant type a in rule (val) is used to type values. The axiom (ax) 
is relevant (there is no weakening) and the rule (—>e) is multiplicative. Note 
that the argument of an application is typed #(J) times by the premises of rule 
(>e). A particular case is when I = Ø: the subterm u occurring in the typed 
term tu turns out to be untyped. 

A (type) derivation is a tree obtained by applying the (inductive) typing 
rules of system V. The notation >œy I’ t:7 means there is a derivation of 
the judgement I’ + t:r in system V. The term t is typable in system V, or 
Y-typable, iff t is the subject of some derivation, i.e. iff there are I” and 7 
such that >y I’ t:r. We use the capital Greek letters ,W,... to name type 
derivations, by writing for example >, I’ F t:r. For short, we usually denote 
with ®, a derivation with subject t for some type and context. The size of 
the derivation ®, denoted by sz(®), is defined as the number of nodes of 
the corresponding derivation tree. We write RULE(®) € {(ax),(—i),(—e)} to 
access the last rule applied in the derivation ®. Likewise, PREM(®) is the multiset 
of proper maximal subderivations of ®. For instance, given 


b, (i)i 
f= t (Pi ier +e) 


Tetu:t 


we have RULE(®) = (—e) and PREM(®) = {,} U {| ie I}. We also use 
functions CTXT(®), SUBJ(®) and TYPE(®) to access the context, subject and type 
of the judgement in the root of the derivation tree respectively. For short, we 
also use notation (x) to denote the type associated to the variable x in the 
typing environment of the conclusion of ® (i.e. P(x) “! CTXT(#)(z)). 
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Intersection type systems can usually be seen as models [11], i.e. typing 
is stable by convertibility: if t is typable and t =, t’, then t’ is typable too. 
This property splits in two different statements known as subject reduction and 
subject expansion respectively, the first one giving stability of typing by reduc- 
tion, the second one by expansion. In the particular case of non-idempotent 
types, subject reduction refines to weighted subject-reduction, stating that not 
only typability is stable by reduction, but also that the size of type derivations 
is decreasing. Moreover, this decrease is strict when reduction is performed on 
special occurrences of redexes, called typed occurrences. We now introduce all 
these concepts. 

Given a type derivation ®, the set TOC(®) of typed occurrences of ®, which 
is a subset of oc(SUBJ(®)), is defined by induction on the last rule of ®. 


— If RULE(®) € {(ax), (val)}, then TOC(®) ¥ {e}. 

~ IfRULE(®) = (— i) with SUBJ(®) = Ax.t and PREM(®) = {@,}, then TOC(®) “ 
{e} U {Op | p € TOC(D;)}. 

— If RULE(®) = (— e) with SUBJ(®) = tu and PREM(®) = 48, } U {| ie I}, 
then TOC(®) © {e} U {0p | p € TOC(#,)} U (Uer {1p | p € TOC(#,)}). 
Remark that there are two kind of untyped occurrences, those inside untyped 


arguments of applications, and those inside untyped bodies of abstractions. For 
instance consider the following type derivations: 


eid a i Dern Pe S 
P _ zii} Ayo st >a i) 5 KE a , 
= FK:§fa}>4{} >a oe FKIQ:a i 


Then, TOC(@x 72) = {e, 0, 00, 01, 000, 0000} C oc( KIN). 
Remark 1. The weak-head redex of a typed term is always a typed occurrence. 


Given @ and p € TOC(®), we define |, as the multiset of all the subderiva- 
tions of © at occurrencep (a formal definition can be found in [15]). Note 
that |p is a multiset since the subterm of SUBJ(®) at position p may be typed 
several times in ®, due to rule (—e). 

We can now state the two main properties of system V, whose proofs can be 
found in Sect. 7 of [9]. 


Theorem 2 (Weighted Subject Reduction). Let Boyl H t:r. Ifr:t—>g 
t, then there exists DP s.t. P' >y THE : T. Moreover, 

1. If r € TOC(®), then sz(®) > sz(®'). 

2. If r ¢ TOC(®), then sz(®) = sz(’). 

Theorem 3 (Subject Expansion). Let @’>yI t': 7. Ift gt’, then there 
exists Ð s.t. By IE t: 7. 


Note that weighted subject reduction implies that reduction of typed redex 
occurrences turns out to be normalising. 
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5 Substitution and Reduction on Derivations 


In order to relate typed redex occurrences of convertible terms, we now extend 
the notion of (-reduction to derivation trees, by making use of a natural and 
basic concept of typed substitution. In contrast to substitution and -reduction 
on terms, these operations are now both non-deterministic on derivation trees 
(see [19] for discussions and examples). Given a variable x and type deriva- 
tions ®, and (P$ icr, the typed substitution of x by (i Jier in ®&, written 
B, {x /(P')ier } by making an abuse of notation, is a type derivation induc- 
tively defined on @;, only if (x) = {TYPE(S} ) icz. This non-deterministic 
construction may be non-trivial but it can be naturally formalised in a quite 
straightforward way (full details can be found in [15]). Intuitively, the typed sub- 
stitution replaces typed occurrences of x in &, by a corresponding derivation P$, 
matching the same type, where such a matching is chosen in a non-deterministic 
way. Moreover, it also substitutes all untyped occurrences of x by u, where this 
untyped operation is completely deterministic. Thus, for example, consider the 
following substitution, where ®x_ is defined in Sect. 4: 


(ax) p 
c:{{} capa: {fra x /@xr}= si se 
x: {{}>a}Frzr:a (RI ea (KNKI: ) 


The following lemma relates the typed occurrences of the trees composing a 
substitution and those of the substituted tree itself: 


Lemma 3. Let B, and (®')ier be derivations such that B; {x / (Di ier } is 
defined, and p € oc(t). Then, 


1. p € TOC(®,) iff p € TOC(®, {x / (8i )ier })- 
2. q € TOC(G*) for some k € I iff there exists p € TOC(®;) such that t|) = x and 
pq €E TOC(®, {x / (fier }). 


Proof. By induction on ®;. 


Based on the previous notion of substitutions on derivations, we are now able 
to introduce (non-deterministic) reduction on derivation trees. The reduction 
relation —g on derivation trees is then defined by first considering the following 
basic rewriting rules. 


1. For typed (-redexes: 
@,>y Ta: foihicr bt: r 
Pr Azt: {oi}ier >T (Pi, by A; H u : o)ier 
I +ier Ai H (Ax.t)u: T 


tog B; {x /(Pi ier} 
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2. For 8-redexes in untyped occurrences, with u —>g u’: 


Trt: {far Trt: {far 
hyp —— ee ————— 
Tetu:t Tetu:t F àz.u:a F Aàz.u':a 


As in the case of the \-calculus, where reduction is closed under usual term 
contexts, we need to close the previous relation under derivation tree contexts. 
However, a one-step reduction on a given subterm causes many one-step reduc- 
tions in the corresponding derivation tree (recall |, is defined to be a multiset). 
Then, informally, given a redex occurrence r of t, a type derivation ® of t, and 
the multiset of minimal subderivations of ® containing r, written .W@, we apply 
the reduction rules ++g,,¢ to all the elements of .@, thus obtaining a multiset 
M’, and we recompose the type derivation of the reduct of t (see [15] for a formal 
definition). This gives the reduction relation —g on trees. A reduction sequence 
on derivation trees contracting only redexes in typed positions is dubbed a typed 
reduction sequence. 

Note that typed reductions are normalising by Theorem 2, yielding a special 
kind of derivation. Indeed, given a type derivation ® >y I t: 7, we say that 
@ is normal iff TOC(®) N roc(t) = Ø. Reduction on trees induces reduction on 
terms: when p: & >g ©’, then SUBJ(®) >g SUBJ(®’). By abuse of notation we 
may denote both sequences with the same letter p. 


6 Weak-Head Neededness and Typed Occurrences 


This section presents one of our main results. It establishes a connection between 
weak-head needed redexes and typed redex occurrences. More precisely, we first 
show in Sect. 6.1 that every weak-head needed redex occurrence turns out to 
be a typed occurrence, whatever its type derivation is. The converse does not 
however hold. But, we show in Sect.6.2 that any typed occurrence in a special 
kind of typed derivation (that we call principal) corresponds to a weak-head 
needed redex occurrence. We start with a technical lemma. 


Lemma 4. Let r: &; >3 Py and p € oc(t) such that p Æ r and p Æ r0. Then, 
p € TOC(®,) iff there exists p' € p/r such that p' € TOC(®;,). 


Proof. By induction on r using Lemma 3. 


6.1 Weak-Head Needed Redexes Are Typed 


In order to show that every weak-head needed redex occurrence corresponds 
to a typed occurrence in some type derivation we start by proving that typed 
occurrences do not come from untyped ones. 


Lemma 5. Let p: B; +g By and p E oc(t). If there exists p' € p/p such that 
p’ € TOC(,,), then p € TOC(®,). 


Proof. Straightforward induction on p using Lemma 4. 
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Theorem 4. Let r be a weak-head needed redex in t. Let B be a type derivation 
oft. Then, r € TOC(®). 


Proof. By Theorem1, r is used in the weak-head reduction from t to t € 
WHNF g. By Remark 1, the weak-head reduction contracts only typed redexes. 
Thus, r or some of its residuals is a typed occurrence in its corresponding deriva- 
tion tree. Finally, we conclude by Lemma 5, r € TOC(®). 


6.2 Principally Typed Redexes Are Weak-Head Needed 


As mentioned before, the converse of Theorem 4 does not hold: there are some 
typed occurrences that do not correspond to any weak-head needed redex occur- 
rence. This can be illustrated in the following examples (recall Pero defined 
in Sect. 4): 


(ax) 
Kir y:{{a} >a} Fy: fafa krig 
F Ay. KIQ: {ta y: {fa} >a} F y(KIQ):a 


Indeed, the occurrence 0 (resp 1) in the term Ay.KIQ (resp. y (KIQ)) is 
typed but not weak-head needed, since both terms are already in weak-head 
normal form. Fortunately, typing relates to redex occurrences if we restrict type 
derivations to principal ones: given a term t in weak-head -normal form, the 
derivation ® >y l'H t: T is normal principally typed if: 


n times 


a 
- t= ztı...tn (n > 0), and I = {x : {{} —...— {} —7}} andr is a type 
variable a (i.e. none of the t; are typed), or 
- t= àz.t', and l = Ø and 7 =a. 


Given a weak-head normalising term t such that 8; >y I F t: 7, we say that 
®, is principally typed if P, +g Py for some t € whnfg(t) implies Py is 
normal principally typed. 

Note in particular that the previous definition does not depend on the chosen 
weak-head normal form t’: suppose t” € whnfg(t) is another weak-head normal 
form of t, then t and t” are convertible terms by the Church-Rosser property [7] 
so that ¢’ can be normal principally typed iff t” can, by Theorems 2 and 3. 


Lemma 6. Let P, be a type derivation with subject t and r € roc(t) N TOC(®+). 
Let p : Bı >g By such that Py is normal. Then, r is used in p. 


Proof. Straightforward induction on p using Lemma 4. 


The notions of leftmost and weak-head needed reductions on (untyped) terms 
naturally extends to typed reductions on tree derivations. We thus have: 


Lemma 7. Lett be a weak-head normalising term and B, be principally typed. 
Then, a leftmost typed reduction sequence starting at P, is weak-head needed. 
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Proof. By induction on the leftmost typed sequence (called p). If p is empty the 
result is immediate. If not, we show that t has a typed weak-head needed redex 
(which is leftmost by definition) and conclude by inductive hypothesis. Indeed, 
assume t E€ WHNFg. By definition ®, is normal principally typed and thus it 
has no typed redexes. This contradicts p being non-empty. Hence, t has a weak- 
head redex r (i.e. t € WHNFg). Moreover, r is both typed (by Remark 1) and 
weak-head needed (by Lemma 2). Thus, we conclude. 


Theorem 5. Lett be a weak-head normalising term, B, be principally typed and 
r € roc(t) N TOC(®,). Then, r is a weak-head needed redex in t. 


Proof. Let p : B, >g ® be the leftmost typed reduction sequence where Py is 
normal. Note that y exists by definition of principally typed. By Lemma 7, p is 
a weak-head needed reduction sequence. Moreover, by Lemma.6, r is used in p. 
Hence, r is a weak-head needed redex in t. 


As a direct consequence of Theorems 4 and 5, given a weak-head normalising 
term t, the typed redex occurrences in its principally typed derivation (which 
always exists) correspond to its weak-head needed redexes. Hence, system V 
allows to identify all the weak-head needed redexes of a weak-head normalising 
term. 


7 Characterising Weak-Head Needed Normalisation 


This section presents one of the main pieces contributing to our observational 
equivalence result. Indeed, we relate typing with weak-head neededness by show- 
ing that any typable term in system V is normalising for weak-head needed 
reduction. This characterisation highlights the power of intersection types. We 
start by a technical lemma. 


Lemma 8. Let by [+ t: 7. Then, ® normal implies t € WHNF x. 


Proof. By induction on @ analysing the last rule applied. 


Let p : tı >g tn. We say that p is a left-to-right reduction sequence iff 
for every i < n if ri : ti >g ti41 and |; is to the left of r; then, for every j > i 
such that rj : tj +g t;41 we have that r) € {li}/pi; where pij : ti >g tj is the 
corresponding subsequence of p. In other words, for every j and every i < J, 
rj is not a residual of a redex to the left of r; (relative to the given reduction 
subsequence from t; to tj) [7]. 

Left-to-right reductions define in particular standard strategies, which give 
canonical ways to construct reduction sequences from one term to another: 


Theorem 6 ([7]). Ift —g t, there exists a left-to-right reduction from t to t. 


Theorem 7. Lett € Ta. Then, @by IT Et: 7 ifft € WN unna- 
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Proof. =) By Theorem 2 we know that the strategy reducing only typed redex 
occurrences is normalising, i.e. there exist t and ©’ such that t >g t', & >y 
Tt’: 7 and & normal. Then, by Lemma 8, t' € WHNFg. By Theorem 6, there 
exists a left-to-right reduction p : t >g t’. Let us write 


pit=t >g tn >g t 


such that t1,...,tn-1 € WHNFg and tn E WHNFg. 

We claim that all reduction steps in tı —>g tn are leftmost. Assume towards 
a contradiction that there exists k < n such that r : tk >g tk+1ı and r is not the 
leftmost redex of t (written lk). Since p is a left-to-right reduction, no residual 
of I, is contracted after the k-th step. Thus, there is a reduction sequence from 
tk € WHNFg to tn E WHNFg such that I, is not used in it. This leads to a 
contradiction with |, being weak-head needed in tz, by Lemma 2. 

As a consequence, there is a leftmost reduction sequence t >g tn. Moreover, 
by Lem. 2, t >ynna tn E€ WHNF g = NF wana. Thus, t E WN wrna. 

<) Consider the reduction p : t -ynna t with t € whnfg(t). Let P >y 
I’ Ht : 7 be the normal principally typed derivation for t’ as defined in Sect. 6.2. 
Finally, we conclude by induction in p using Theorem 3, by Ft: 7. 


8 The Call-by-Need Lambda-Calculus 


This section describes the syntax and the operational semantics of the call-by- 
need lambda-calculus introduced in [1]. It is more concise than previous specifi- 
cations of call-by-need [2,3, 10,16], but it is operationally equivalent to them [6], 
so that our results could also be presented by using alternative specifications. 
Given a countable infinite set X of variables x, y,z,... we define different 
syntactic categories for terms, values, list contexts, answers and need contexts: 


(Terms) t,u ::= x E€ X |tu | Ax.t | t[æ\u] 
(Values) v ::= Ax.t 


(List contexts) L::= | L{x\t] 
(Answers) a::= L(ày.t) 
(Need contexts) M,N ::= O | Nt | N[a\t] | Næ} [a\M] 


We denote the set of terms by Te. Terms of the form t|x\u] are closures, 
and [a\u] is called an explicit substitution (ES). The set of Te-terms without 
ES is the set of terms of the -calculus, i.e. Ta. The notions of free and bound 
variables are defined as expected, in particular, fv(t[x\u]) = fv(t) \ {2} U fv(u), 
fv(Az.t)  tv(t)\{zx}, bv(t[x\u]) £ bv(t)U{x}Ubv(u) and bv(Az.t) £ bv(t)U{z}. 
We extend the standard notion of a-conversion to ES, as expected. 

We use the special notation N(u) or Llu} when the free variables of u are not 
captured by the context, i.e. there are no abstractions or explicit substitutions 
in the context that binds the free variables of u. Thus for example, given N = 
(Ox)[a\z], we have (yx)[x\z] = N(y) = Ny), but (x x)[x\z] = N(x) cannot be 
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written as N(x). Notice the use of this special notation in the last case of needed 
contexts, an example of such case being (x y)[y\¢][2\U]. 


The call-by-need calculus, introduced in [1], is given by the set of terms 
Te and the reduction relation —neea, the union of —>as and — sy, which are, 
respectively, the closure by need contexts of the following rewriting rules: 


L(Az.t) u ap L(t[a\ul) 
N(x) [2\L(v)] sv LN (v) [x\v]) 
These rules avoid capture of free variables. An example of need-reduction 
sequence is the following, where the redex of each step is underlined for clearness: 


(Avy I (x1 I)) (Ay-Ly) >a (I (21 2))[21\ry-Ty] ap 
v2[x2\2x1 I][x1\Ay-L y] isv 2[%2\(Av3.I z3) I][vi\Ay-Ty] >a 
t[vq\(1v3)[r3\J]][z1\Ay-Ty] an %2[%2\x4[r4\zr3][e3\J]][e1\Ay-Ly] sv 
©2[r2\r4[x4\I][x3\I]][21\Ay-Ly] >isv %2[%2\I[xa\I][e3\J]]lz1\Ay-Ty] isv 
T[axo\I)[ra\F][x3\T][x1\Ay-T y] 

As for call-by-name, reduction preserves free variables, i.e. t —>neea t implies 


fv(t) D fv(t’). Notice that call-by-need reduction is also weak, so that answers 
are not need-reducible. 


T 
T 


9 Observational Equivalence 


The results in Sect. 7 are used here to prove soundness and completeness of call- 
by-need w.r.t weak-head neededness, our second main result. More precisely, a 
call-by-need interpreter stops in a value if and only if the weak-head needed 
reduction stops in a value. This means that call-by-need and call-by-name are 
observationally equivalent. 

Formally, given a reduction relation R on a term language 7, and an associ- 
ated notion of context for T, we define t to be observationally equivalent to 
u, written t Spr u, iff C(t) E€ WN r & Clu) € WNR for every context C. In order 
to show our final result we resort to the following theorem: 


Theorem 8 ([14]). 
1. Lett € Ta. Then, Boy Ib t: 7 ifft © WN nane- 


2. For all terms t and u in Ta, t Sname U iff t Sneea U- 
These observations allows us to conclude: 
Theorem 9. For all terms t and u in Ta, t Sunna U iff t neea U. 
Proof. By Theorem 8:2 it is sufficient to show t =ynna u iff t “name u. The proof 
proceeds as follows: 


t =name U iff (definition) 
C(t) E WN name & Clu) © WNname If (Theorem 8:1) 
C(t) typable in V <= C(u) typable in V iff (Theorem 7) 
C(t) E WN ahna => C(u) < WN sia iff (definition) 


t hna u 
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10 Conclusion 


We establish a clear connection between the semantical standard notion of need- 
edness and the syntactical concept of call-by-need. The use of non-idempotent 
types —a powerful technique being able to characterise different operational 
properties— provides a simple and natural tool to show observational equiva- 
lence between these two notions. We refer the reader to [5] for other proof tech- 
niques (not based on intersection types) used to connect semantical notions of 
neededness with syntactical notions of lazy evaluation. 

An interesting (and not difficult) extension of our result in Sect.6 is that 
call-by-need reduction (defined on A-terms with explicit substitutions) contracts 
only dB weak-head needed redexes, for an appropriate (and very natural) notion 
of weak-head needed redex for A-terms with explicit substitutions. A technical 
tool to obtain such a result would be the type system A [14], a straightforward 
adaptation of system VY to call-by-need syntax. 

Given the recent formulation of strong call-by-need [6] describing a determin- 
istic call-by-need strategy to normal form (instead of weak-head normal form), it 
would be natural to extend our technique to obtain an observational equivalence 
result between the standard notion of needed reduction (to full normal forms) 
and the strong call-by-need strategy. This remains as future work. 
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Abstract. Fitch-style modal deduction, in which modalities are elimi- 
nated by opening a subordinate proof, and introduced by shutting one, 
were investigated in the 1990s as a basis for lambda calculi. We show 
that such calculi have good computational properties for a variety of 
intuitionistic modal logics. Semantics are given in cartesian closed cate- 
gories equipped with an adjunction of endofunctors, with the necessity 
modality interpreted by the right adjoint. Where this functor is an idem- 
potent comonad, a coherence result on the semantics allows us to present 
a calculus for intuitionistic S4 that is simpler than others in the litera- 
ture. We show the calculi can be extended à la tense logic with the left 
adjoint of necessity, and are then complete for the categorical semantics. 


Keywords: Intuitionistic modal logic - Typed lambda calculi 
Categorical semantics 


1 Introduction 


The Curry-Howard propositions-as-types isomorphism [21,39,41] provides a cor- 
respondence between natural deduction and typed lambda calculus of interest 
to both logicians and computer scientists. For the logician, term assignment 
offers a convenient notation to express and reason about syntactic properties 
such as proof normalisation, and, especially in the presence of dependent types, 
allows proofs of non-trivial mathematical theorems to be checked by computer 
programs. For the computer scientist, logics have been repurposed as typing 
disciplines to address problems in computing in sometimes surprising ways. Fol- 
lowing Lambek [25], categories form a third leg of the isomorphism. Categorical 
semantics can be used to prove the consistency of a calculus, and they are cru- 
cial if we wish to prove or program in some particular mathematical setting. For 
example, see the use of the topos of trees as a setting for both programming 
with guarded recursion, and proof by Löb induction, by Clouston et al. [11]. 
This work involved two functors, ‘later’ and ‘constant’. Where functors inter- 
act appropriately with finite products they correspond to necessity modalities in 
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intuitionistic normal modal logic, usually written O. Such modalities have been 
extensively studied by logicians, and the corresponding type-formers are widely 
applicable in computing, for example to monads [32], staged programming [13], 
propositional truncation [2], and recent work in homotopy type theory [37]. There 
is hence a need to develop all sides of the Curry-Howard-Lambek isomorphism 
for necessity modalities. Approaches to modal lambda calculi are diverse; see the 
survey by Kavvos [23], and remarks in the final section of this paper. This paper 
focuses on Fitch-style modal lambda calculi as first proposed by Borghuis [9] 
and (as the “two-dimensional” approach) by Martini and Masini [29]. 

Fitch-style modal lambda calculi’ adapt the proof methods of Fitch [19] in 
which given a formula OA we may open a ‘(strict) subordinate proof’ in which 
we eliminate the [O to get premise A. Such a subordinate proof with conclusion 
B can then be shut by introducing a O to conclude OB. Different modal logics 
can be encoded by tweaking the open and shut rules; for example we could shut 
the proof to conclude merely B, if we had the T axiom OB — B. Normal modal 
logics are usually understood with respect to Kripke’s possible worlds semantics 
(for the intuitionistic version, see e.g. Simpson [38, Sect. 3.3]). In this setting 
Fitch’s approach is highly intuitive, as opening a subordinate proof corresponds 
to travelling to a generic related world, while shutting corresponds to returning 
to the original world. See Fitting [20, Chap. 4] for a lengthier discussion of this 
approach to natural deduction. 

Borghuis [9] kept track of subordinate proofs in a sequent presentation by 
introducing a new structural connective to the context when a O is eliminated, 
and removing it from the context when one is introduced, in a style reminiscent 
of the treatment of modal logic in display calculus [42], or for that matter of 
the standard duality between implication and comma. To the category theorist, 
this suggests an operation on contexts left adjoint to O. This paper exploits this 
insight by presenting categorical semantics for Fitch-style modal calculi for the 
first time, answering the challenge of de Paiva and Ritter [33, Sect. 4], by mod- 
elling necessity modalities as right adjoints. This is logically sound and complete, 
yet less general than modelling modalities as monoidal functors as done for exam- 
ple by Bellin et al. [4]. For example, truncation in sets is monoidal but has no 
right adjoint. Nonetheless adjunctions are ubiquitous, and in their presence we 
argue that the case for Fitch-style calculi is compelling. Examples of right adoints 
of interest to type theorists include the aforementioned modalities of guarded 
recursion, the closure modalities of (differential) cohesive oo-toposes [36, Sect. 3], 
and atom-abstraction in nominal sets [31]. 

In Sect.2 we present Borghuis’s calculus for the logic Intuitionistic K, the 
most basic intuitionistic modal logic of necessity. To the results of confluence, 
subject reduction, and strong normalisation already shown by Borghuis we add 
canonicity and the subformula property, with the latter proof raising a subtle 
issue with sums not previously observed. We give categorical semantics for this 
style of calculus for the first time and prove soundness. In Sect. 3 we introduce the 


1 ‘Pitch-style’ deduction can also be used to mean the linear presentation of natural 
deduction with subordinate proofs for implication. 
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left adjoint as a first-class type former à la intuitionistic tense logic [17], in which 
the “everywhere in the future” modality is paired with “somewhere in the past”. 
To our knowledge this is the first natural deduction calculus, let alone lambda 
calculus, for any notion of tense logic. It is not entirely satisfactory as it lacks the 
subformula property, but it does allow us to prove categorical completeness. In 
Sect. 4 we show how the basic techniques developed for Intuitionistic K extend 
to Intuitionistic S4, one of the most-studied intuitionistic modal logics. Instead 
of working with known Fitch-style calculi for this logic [13,34] we explore a 
new, particularly simple, calculus where the modality is idempotent, i.e. ODA 
and A are not merely logically equivalent, but isomorphic. Our semantics 
for this calculus rely on an unusual ‘coherence’ proof. In Sect.5 we present a 
calculus corresponding to the logic Intuitionistic R. In Sect. 6 we conclude with 
a discussion of related and further work. 


2 Intuitionistic K 


This section presents results for the calculus of Borghuis [9] for the most basic 
modal logic for necessity, first identified to our knowledge by Božić et al. [10] as 
H Kp; following Yokota [43] we use the name Intuitionistic K (IK). This logic 
extends intuitionistic logic with a new unary connective L, one new axiom 


K: O(A > B) > OA > OB 


and one new inference rule 


Necessitation: if A is a theorem, then so is OA. 


2.1 Type System 


Contexts are defined by the grammar 
Tr&.|T,z:A|T, ef 


where x is a variable not in I, A is a formula of intuitionistic modal logic, and 
a is called a lock. The open lock symbol is used to suggest that a box has been 
opened, allowing access to its contents. 

Ignoring variables and terms, sequents J’ + A may be interpreted as intu- 
itionistic modal formulae by the translation 


— [F A] = A; 


- [B, TH A] =B > [Lt A]; 
— [Cb A] = OJLL E A]. 
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This interpretation will suffice to confirm the soundness and completeness of 
our calculus, considered as a natural deduction calculus, with respect to IK. It is 
however not a satisfactory basis for a categorical semantics, because it does not 
interpret the context as an object. In Sect.2.3 we shall see that sì may instead 
by interpreted as a left adjoint of O, applied to the context to its left. 

Figure 1 presents the typing rules. Rules for the product constructions 1, 
Ax B, (), (t,u), mt, T2t are as usual and so are omitted, while sums are 
discussed at the end of Sect. 2.2. Note that variables can only be introduced 
or abstracted if they do not appear to the left of a lock. In the variable rule 
the context I” builds in variable exchange, while in the open rule I” builds in 
variable weakening. Exchange of variables with locks, and weakening for locks, 
are not admissible. 


Ser I.c:Att:B rrt:A>+B Tru:A 
FEAT FEA TrArt: A+B Trtu:B 
T Ht: A TFt: 
aa 7 hg I” 
I} shutt: OA T, a, I" + opent: A 


Fig. 1. Typing rules for Intuitionistic K 


Theorem 2.1 (Logical Soundness and Completeness). A formula is a the- 
orem of IK if and only if it is an inhabited type in the empty contest. 


We can for example show that the K axiom is inhabited: 


f:O(A— B),x : OA, s- open f : A — B f,c,@t openg: A 
f:O(A—> B),x: OA, sfl- (open f)(openz) : B 
f: O(A > B),x : OA F shut((open f)(openx)) : OB 


2.2 Computation 
We extend the usual notion of -reduction on untyped terms with the rule 
openshutt +> t 


We write ~~ for the reflexive transitive closure of +>. This relation is plainly 
confluent. Two lemmas, proved by easy inductions on the derivation of the terms 
t, then allow us to prove subject reduction: 


Lemma 2.2 (Variable Weakening). /fI,I’ + t: B then I,a:A,I’ tt: B. 


Lemma 2.3 (Substitution). If T,x : A,I’ H t: BandI + u: A then 
T, T" - tlu/a]: B. 
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Theorem 2.4 (Subject Reduction). If T-t: A andt=> u then bu: A. 


Proof. -reduction for — requires Lemma 2.3, and for O requires Lemma 2.2. 


A term t is normalisable if there exists an integer v(t) bounding the length 
of any reduction sequence starting with t, and normal if v(t) is 0. By standard 
techniques we prove the following theorems: 


Theorem 2.5 (Strong Normalisation). Given I} t: A, the term t is nor- 
malisable. 


Theorem 2.6 (Canonicity). If I is a context containing no variable assign- 
ments, I F t: A, and t is normal, then the main term-former of t is the 
introduction for the main type-former of A. 


Concretely, if A is some base type then t is a value of that type. 


Theorem 2.7 (Subformula Property). Given I H t: A with t normal, all 
subterms of t have as their type in the derivation tree a subtype of A, or a subtype 
of a type assigned in I’. 


To attain this final theorem we need to take some care with sums. It is well 
known that lambda calculi with sums do not enjoy the subformula property 
unless they have additional reductions called commuting conversions [21, Chap. 
10]. However the commuting conversions for the O type 


open case s of x.t; y.u ++ case s of x.open t; y.open u 


open abort t +> abort t 


do not obviously enjoy subject reduction because open might change the context. 
However if we tweak the definitions of the elimination term-formers for sums 
according to Fig. 2 then all results of this section indeed hold. 


Frs:A+B T,2:A,D'rt:C T,y:B,l’bu:C Trt:0 
T,I’' case s of x.t; y.u : C T, T” } abortt: A 


Fig. 2. Elimination term-formers for sums 


Finally, while we will not explore computational aspects of 7-equivalence in 
this paper, we do note that 
shutopent = t 


obeys subject reduction in both directions (provided, in the expansion case, that 
the type of t has O as its main type-former). 
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2.3 Categorical Semantics 


This section goes beyond Theorem 2.1 to establish the soundness of the type 
system with respect to a categorical semantics, in cartesian closed categories C 
equipped with an endofunctor O that has a left adjoint, which we write ẹ. 

We interpret types as C-objects via the structure of C in the obvious way. We 
then interpret contexts as C-objects by 


- |] 21; 
-—[f,2: A] £ [F] x4; 
- [Fe] 2 OL. 


We omit the brackets [---] where no confusion is possible, and usually abuse 
notation by omitting the left-most ‘1x’ where the left of the context is a variable. 

We will also sometimes interpret contexts I’ as endofunctors, abusing nota- 
tion to also write them as [J], or merely I’, by taking [-] as the identity, 
|T, x: A] = [T] x A, and |T, s] = Of]. 

We interpret I F t : A as a C-arrow |I F t: A]: [IF] — A, often abbreviated 
to [t], or merely t, by induction on the derivation of t as follows. 

Standard constructions such as variables, abstraction and application are 
interpreted as usual. To interpret the rules for sums of Fig. 2 we use the fact 
that ¢, as a left adjoint, preserves colimits. 

shut: we simply apply the isomorphism C(@[I], A) — C([1], OA) given by 
the @ 4 O adjunction. 

open: We apply the isomorphism C([I], OA) —> C(@[I], A) to the arrow 
interpreting the premise, then compose with the projection [I’,af, 7] — [I af]. 


Theorem 2.8 (Categorical Soundness). IfI t: A andtwt’ then |t] = 


[r]. 


We also have that ņ-equivalent terms have the same denotation. 


3 Left Adjoints and Categorical Completeness 


In this section we extend the calculus to include the left adjoint ¢ as a first-class 
type-former, and hence prove categorical completeness. The underlying logic is 
the fragment of intuitionistic tense logic [17] with just one pair of modalities, 
studied by Dzik et al. [15] as ‘intuitionistic logic with a Galois connection’; we 
use the name Ig. We have two new axioms 

ny”: A>+O@A 

e™: MAA 
We use the superscript m to identify these as the unit as the unit and counit 
of the modal adjunction ¢ 4 O, to differentiate them from other (co)units used 
elsewhere in the paper. We have one new inference rule: 

Monotonicity: if A— B is a theorem, then so is $A — $B. 
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3.1 Type System and Computation 


We extend the type system of Fig. 1 with the new rules for 4 presented in Fig. 3. 
4, unlike O, need not commute with products, so does not interact well with 
contexts. Hence the subterms of a let dia term may not share variables. 


TETA j Tet: 4A cz: Aju: B 
a el 
T, T" H diat: 4A T} letdiarbetinu: B 


Fig. 3. Additional typing rules for logic [Ky 


We can construct the axioms of Ik: 


x: Av} diaz: @A xz: @OAl 2: ¢04 y: OA, sP openy: A 
x:Atshutdiaz:O@A x: @UAF letdiaybexinopeny: A 


and given a closed term f : A — B we have the monotonicity construction 


zr: @Ab-a2:¢A y: Aj H dia( f y): ¢B 
x: @At letdiaybexindia(fy): ¢B 


To this we add the new £ rule 
letdia z bediatinu + ult/z] 


We can hence extend the syntactic results of the previous section to the logic 
IK 4, with the exception of the subformula property. Consider the term 
x: ¢AF letdiaybexinAz.diay: ¢A— OA zr: @Ab-r:¢A 
x: @AF (letdiaybexinAz.diay)x: 9A 


This term is normal but evidently fails the subformula property. One might 
expect, as with sums, that a commuting conversion would save the day by reduc- 
ing the term to let diay bez in ((Az.diay)xz), but this term sees the free variable 
x appear in the second subterm of a let dia expression, which is not permitted. 

We now turn to 7-equivalence, and an equivalence which we call associativity: 


letdiaxbetindiax = t 
let dia z be s in (t[u/y]) 


t|let dia xz be sin u/ylif t’s context contains y only 


For example, under associativity the counter-example to the subformula property 
equals (Az.let diay be x in dia y)x, which reduces to letdiaybexindiay, which is 
n-equal to x. The equivalences enjoy subject reduction in both directions (requir- 
ing, as usual, that t has the right type for 7-expansion). 
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3.2 Categorical Semantics 


We interpret the new term-formers in the same categories as used in Sect. 2.3. 
For dia, given t : T — A we compose ẹt with the projection T, eP, I” — T, eP. 
The denotation of let dia x be t in u is simply uot. We may then confirm the sound- 
ness of 8-reduction, 7-equivalence, and associativity; we call these equivalences 
collectively definitional equivalence. 

We extend standard techniques for proving completeness [25], constructing 
a term model, a category with types as objects and, as arrows A — B, terms of 
form x : AF t: B modulo definitional equivalence. This is a category by taking 
identity as the term x and composition uot as u[t/az]. It is a cartesian closed 
category using the type- and term-formers for products and function spaces. 

The modalities ¢ and O act on types; they also act on terms by, for , the 
monotonicity construction, and for O, mapping x: AF t: Btow: HAF 
shut t[open x/z] : OB. One can check these constructions are functorial, and 
that the terms for 7” and e™ are natural and obey the triangle equalities for 
the adjunction @- 

Given a context T we define the context term I F cp: |I] by 


— Cra: A (cr, £); 
A $ 
— Crp = diacr. 


Lemma 3.1. Given I t: A, t is definitionally equal to |I F t: A][cr/z]. 


Theorem 3.2 (Categorical Completeness). Jf t: A andI Fu: A are 
equal in all models then they are definitionally equal. 


Proof. t and u have equal denotations in the term model, so their denotations 
are definitionally equal. Definitional equality is preserved by substitution, so 
II F t: A][er/z] = [I F u : Alfer/z], so by Lemma 3.1, t = u. 


4 Intuitionistic S4 for Idempotent Comonads 


Intuitionistic S4 (IS4) is the extension of IK with the axioms 

T: OA-A 

4: OA —> A 
To the category theorist IS4 naturally suggests the notion of a comonad. IS4 is 
one of the most studied and widely applied intuitionistic modal logics; in partic- 
ular there exist two Fitch-style calculi [13,34]. We conjecture that similar results 
to the previous sections could be developed for these calculi. Instead of pursu- 
ing such a result, we here show that a simpler calculus is possible if we restrict 
to idempotent comonads, where OA and A are isomorphic. This restriction 
picks out an important class of examples — see for example the discussion of 
Rijke et al. [35] — and relies on a novel ‘coherence’ proof. 


266 R. Clouston 


4.1 Type System and Computation 
A calculus for IS4 is obtained by replacing the open rule of Fig. 1 by 


rrt:OA 
T,I’ t+ opent: A 


The T and 4 axioms are obtained by 
x: OA, s af H openz: A 
x:OAF+H z: OA z: OA, sH shutopen z : OA 
x:OAF openz: A x: OA F shutshut openz : A 


This confirms logical completeness; once can also easily check soundness. 
Subject reduction for the 8-reduction open shut t +> t requires a new lemma, 
proved by an easy induction on t: 


Lemma 4.1 (Lock Replacement). If r,e, I” t: A then DI’, I" Ht: A. 


The key syntactic Theorems 2.5, 2.6, and 2.7 then follow easily. 

n-expansion obeys subject reduction as before, but it is not the case, for 
example, that the term presented above for the 4 axiom reduces to shut x. We 
may however accept a notion of 7-reduction on typed terms-in-context: 


I’ shut opent +> t : OA provided that T F t: OA 


This equivalence is more powerful than it might appear; it allows us to derive 
the idempotence of O, as the 4 axiom is mutually inverse with the instance 
A — DA of the T axiom. That is, Ax.open shut shut open reduces to the 
identity on OA, and Aa.shut shut open open x reduces to the identity on A. 


4.2 Categorical Semantics 


We give semantics to our type theory in a cartesian closed category with an 
adjunction of endofunctors @ 4 O in which O is a comonad. Equivalently [16, 
Sect. 3], @ is a monad, equipped with a unit 7 and multiplication u. To con- 
firm the coherence of these semantics, discussed in the next subsection, and the 
soundness of 7-equivalence, we further require that O is idempotent, or equiva- 
lently that all wy : ¢@A — @A are isomorphisms with inverses 794 = 74. 

To define the semantics we define lock replacement natural transformations 
lr : [I] — 4, corresponding to Lemma 4.1, by induction on I: 


— l. is the unit 7 of the monad; 
— İr æa is the projection composed with lr; 
= lre is $lp composed with p. 


Note that lp is the identity by the monad laws. 
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We may now define the interpretation of open: given t :  — OA we apply 
the adjunction to get an arrow @/' — A, then compose with lr : T, I’ — T, e. 


Lemma 4.2. If we replace part of a context with a lock, then replace part of the 
new context that includes the new lock, we could have done this in one step: 


l 
D, D, T3, T i ia wen) 
Ta(lr3) a 
D, T>, wk, Ty 


Proof. By induction on 4, with the base case following by induction on T3. 
Lemma 4.3. [[,a, 0’ H t: A] o ["](lr) = (2,07, H t: Al. 


Proof. By induction on the derivation of t. 


Now open shut t, where the open has weakening I”, has denotation £™ o @Lito 
47” olr, which is to lr» by the naturality of «™”, and the adjunction. This is 
what is required by Lemma 4.3, so -reduction for O is soundly modelled. 


4.3 Coherence 


Because the open rule involves a weakening, and does not explicitly record in the 
term what that weakening is, the same typed term-in-context can be the root of 
multiple derivation trees, for example: 


vs Ala: A xu: Aka: A 
x: A,& | openz: OA g: At openz: OA 
L: A, m af + openopenz: A T: A, mí aí’ H- openopenz: A 


The categorical semantics of the previous section is defined by induction on 
derivations, and so does not truly give semantics to terms unless any two trees 
with the same root must have the same denotation. In this section we show that 
this property, here called coherence, indeed holds. We make crucial use of the 
idempotence of the comonad 

We first observe that if T, T '’ T” Ht: Aand all variables of I” are not free in 
t, then T, I” + t: A. The fallow iis lemma, proved by easy inductions, describes 
how the denotations of these derivations are related: 


Lemma 4.4. 1. If x is not free in t then T,x : A,I' + t: B has the same 
denotation as T, I" +} t: Bol (pr). 
2. T,T'} t: B has denotation T, e, I’ t: Bo T'(n). 


The technical lemma below is the only place where idempotence is used. 
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Lemma 4.5. Given T, I’ Ht: A with I’ not free in t, we have 


PP HA 


Th 0A 


where t on the bottom line is the original arrow with I’ strengthened away. 


Proof. By induction on I’. The base case holds by the naturality of 7. 

We present only the lock case: yo t = @t 07 by the naturality of 7. But 
by idempotence, 7: T, I’, — T, IT’, sb equals 47. Then by Lemma 4.4 
Gt097 is O[L, I’ Ft: Al, ie. we have strengthened the lock away and can hence 
use our induction hypothesis, making the top trapezium commute in: 


TT k ud +A 
Pe èn 
ER T, e 9%, 994 id 
a N, 
or ~ +A 


The left triangle commutes by definition, the bottom trapezium commutes by 
the naturality of u, and the right triangle commutes by the monad laws. 


Lemma 4.6. Given I,I’ Ft: A with I’ not free in t, we have 


DTT" re 


lr =l g 


T, ê —— 6A 


where the bottom t is obtained via strengthening. 


Proof. By induction on I”. The base case follows by Lemma 4.5. 


Lemma 4.7. Given T, I" | t: OA with the variables of I’ not free in t, the 
following arrows are equal: 


- T, I”, I" + opent: A where the weakening is I”; 
— obtaining an arrow I — OA via Lemma 4.4, then applying open with weak- 
ening T, I". 
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Proof. Immediate from Lemma 4.6, i.e. 


I A 
ie Ge Lees a 


inser | [e 


T, ab >» ¢0OA >A 


ot e™ 


Theorem 4.8 (Coherence). Given two different derivation trees of a term, 
their denotation is equal. 


Proof. By induction on the number of nodes in the trees. The base case with 
one node is trivial. Suppose we have n+ 1 nodes. Then the induction hypothesis 
immediately completes the proof unless the nodes above the roots are non-equal. 
Then the final construction must be an instance of open, i.e. we have 


Frt:OA Tl’ +t:0A 
TI’, + opent: A T, I”, T” + opent: A 


Clearly any variables in I’ are not free in t, so we can use Lemma 4.4 on the top 

line of the right hand tree to derive I F t : OA. By induction hypothesis this 
has the same denotation as the top line of the left hand tree. But Lemma 4.7 
tells us that applying this strengthening and then opening with J”, I” is the 
same as opening with J” only. 


We can now demonstrate the soundness of 7-equivalence: given I F t: OA 
and T F shut opent : OA by any derivations, we can by coherence safely assume 
that open used one lock only as its weakening, and so the arrows are equal by 
the @ 4 O adjunction. 


4.4 Left Adjoints and Categorical Completeness 
Following Sect.3 we can add ¢ to the type theory; we need only modify the dia 
rule to 
Trt: A 
DI’ } diat: @A 


to retain Lemma 4.1. The results of the previous sections, apart once more for the 
subformula property, still hold, where we define the denotation of I’, T” + dia t as 
4¢ composed with lr. In particular, we must confirm that Lemma 3.1 extends 
to the new definitions of open and dia, for which we need the lemma below: 


Lemma 4.9. Given the term x : |I, I]t lr: @[L] defined in the term model, 
lr-[er.r’/a] is definitionally equal to dia cr. 


Now [opent][cr.r//a] is let dia x be (let dia x bel [cr r» /x] indialt]) in open z, 
which by the lemma above is let diaz be (let dia x be dia cr indial#]) inopena +> 
open|t][cr/z], which equals open t by induction. The proof for dia is similar. 
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5 Intuitionistic R 


One can readily imagine how the calculus for IS4 could be modified for logics 
with only one of the T and 4 axioms. In this section we instead illustrate the 
flexibility of Fitch-style calculi by defining a calculus for the rather different logic 
Intuitionistic R (IR), which extends IK with the axiom 

R: A—> DOA 
This axiom was first studied for intuitionistic necessity modalities by Curry [12], 
along with the axiom M, A — OA, to develop a logic for monads. The 
importance of the logic with R but without M was established by McBride and 
Paterson [30] who showed that it captured the useful programming abstraction 
of applicative functors. We take the name R for the axiom from Fairtlough and 
Mendler [18], and for the logic from Litak [28]. 

We modify Figs. 1 and 3 simply by removing the side-conditions aP ¢ I from 
the variable, open, and dia rules. We can then derive R: 


r: A La: A 
xz: AF shutz : OA 


For substitution and subject reduction we require the following lemma, easily 
proved by induction on the derivation of t: 


Lemma 5.1 (Lock Weakening). If T, I’ H t: A then T, e, I” Ht: A. 


We can also observe that 7-equivalence preserves types in both directions. 

We give semantics for this calculus in a cartesian closed category equipped 
with an adjunction of endofunctors ¢ 4 O and a ‘point’ natural transformation 
r:Id— O preserved by O, i.e. Or =r: OA —> A. This last property makes 
this model slightly less general than the notion of tensorial strength used for 
categorical semantics by McBride and Paterson [30], but is needed for coherence 
and the soundness of 7-equivalence. We will use the arrow 4A — A defined by 
applying the adjunction to r; we call this q and note the property: 


Lemma 5.2. q = 4¢: 4A — $A. 


The weakening natural transformation wr : I — Id is defined by induc- 
tion on I" via projection and q. Variables are then denoted by projection com- 
posed with weakening, and weakening is used similarly for open and dia. We 
can hence show the soundness of -reduction for O and ¢. For the soundness of 
n-equivalence for 0 we need the following lemma: 


Lemma 5.3. wp gp = bwaw r : Di, Do — T, h. 


The denotation of T, ef, I” + shut opent is Oe™ o Oto Owr on™. By the 
above lemma we replace Owr „œ with O@wy r, so by the naturality of n™ we 
have He™ on™ oto Wp py, which is to wa r by the monad laws. 
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Moving to coherence, we conduct a similar induction to Theorem 4.8, con- 
sidering the case 


TFrt:OA T Á HtA 
TW, T” a, T” | opent: A TW, I'D” | opent: A 


The top line on the left weakens to the top line on the right, with denotation 
tow r- By induction this equals the denotation of the top line of the right. Then 
the right hand term has denotation €™ o ®t o $w, r” © wrr. But by Lemma 5.3 
bws r = Wr ep. It is clear that wr po wry = Wr pp, Which is exactly the 
weakening used on the left. Coherence for dia follows similarly. 

Moving finally to categorical completeness, in the term model Lit o r is 
shut tjopen shut z/x], which reduces to shutt, so r is natural. Or : OA > A 
is shut shut open x, which is indeed 7-equal to shut x. 

We finally need to update Lemma 3.1 for our new definitions. We do this via 
a lemma similar to Lemma 4.9: 


Lemma 5.4. Given the term x: |I, I"] + wr : |T] defined in the term model, 
wr [cr r /x] is definitionally equal to cr. 


Now the denotation of [jx : A,I’ | x: A is mowr. Therefore we have 
tTawr’ |er,a,r’/x], which is məcra by the lemma above. This is 72(cr, x), which 
reduces to x. 

The denotation of jaf, I’ | opent : A is letdiax be wr inopen|t]. Apply- 
ing the substitution [cre /x] along with the lemma above yields the term 
let dia z be dia cr inopen|t] + open|t][cr/a], and induction completes. The cal- 
culations for dia follow similarly. 


6 Related and Further Work 


Conventional contexts. Lambda calculi with conventional contexts containing 
typed variables only have been proposed for the logic of monads [32], for IS4 [5], 
for IK [4], and for a logic with ‘Löb induction’ [6], from which one can extract a 
calculus for IR. In previous work [11] we developed the guarded lambda calculus 
featuring two modalities, where one (‘constant’) was an (idempotent) comonad, 
and the other (‘later’) supported a notion of guarded recursion corresponding to 
Lob induction. We therefore used the existing work [5,6] ‘off the shelf’. 
Problems arose when we attempted to extend our calculus with dependent 
types [7]. Neither of the calculi with conventional contexts we had used scaled 
well to this extension. The calculus for IS4 [5], whose terms involved explicit sub- 
stitutions, turned out to require these substitutions on types also, which added 
a level of complexity that made it difficult to write even quite basic dependently 
typed programs. The constant modality was therefore jettisoned in favour of an 
approach based on clock quantification [1], of which more below. The calculus for 
later employed a connective ® (from McBride and Patterson [30]) which acted 
on function spaces under the modality. However with dependent types we need 
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to act not merely on function spaces, but on J7-types, and ® was unable to be 
used. Instead a novel notion of ‘delayed substitution’ was introduced. These were 
given an equational theory, but some of these equations could not be directed, 
so they did not give rise to a useful notion of computation. 


Modalities as quantifiers. The suggestive but formally rather underdevel- 
oped paper of De Queiroz and Gabbay [14] proposed that necessity modalities 
should be treated as universal quantifiers, inspired by the standard semantics of 
necessity as ‘for all possible worlds’. This is one way to understand the relation- 
ship between the constant modality and clock quantification [1]. However clock 
quantification is more general than a single constant modality because we can 
identify multiple free clock variables with multiple ‘dimensions’ in which a type 
may or may not be constant. This gap in generality can probably be bridged by 
using multiple independent constant modalities. More problematically, while it 
is clear what the denotational semantics of the constant modality are, the best 
model for clock quantifiers yet found [8] is rather complicated and still leaves 
open some problems with coherence in the presence of a universe. 


Previous Fitch-style calculi. The Fitch-style approach was pioneered, appar- 
ently independently, by Martini and Masini [29] and Borghuis [9]. Martini and 
Masini’s work is rather notationally heavy, and weakening appears not to be 
admissible. Borghuis’s calculus for IK is excellent, but his calculi for stronger 
logics are not so compelling, as each different axiom is expressed with another 
version of the open or shut rules, not all of which compute when combined. The 
calculus for IS4 of Pfenning and Wong [34], refined by Davies and Pfenning [13, 
Sect. 4], provide the basis of the IS4 calculus of this paper, but involve some 
complications which appear to correlate to not assuming idempotence. We have 
extended this previous work by investigating the subformula property, introduc- 
ing categorical semantics, and showing how left adjoints to necessity modalities 
a la tense logic can be used as types. Finally, the recent clocked type theory 
of Bahr et al. [3] independently gave a treatment of the later modality that on 
inspection is precisely Fitch-style (albeit with named ‘locks’), and which has 
better computational properties than the delayed substitution approach. 


Dual contexts. Davies and Pfenning [13] use a pair of contexts A;I with 
intended meaning OA A T. This is quite different from the semantics of Fitch- 
style sequents, where structure in the context denotes the left adjoint of O. In 
recent work Kavvos [24] has shown that dual contexts may capture a number of 
different modal logics, and the approach has been used as a foundation for both 
pen-and-paper mathematics [37] and, via an Agda fork [40], formalisation [26]. 
We support this work but there is reason to explore other options. First, writ- 
ing programs with dual context calculi was described by Davies and Pfenning 
themselves as ‘somewhat awkward’, and in the same paper they suggest the 
Fitch-style approach as a less awkward alternative. Indeed, Fitch’s approach 
was exactly designed to capture ‘natural’ modal deduction. Second, any appli- 
cation with multiple interacting modalities is unlikely to be accommodated in 
a mere two zones; the mode theories of Licata et al. [27] extend the dual zone 


Fitch-Style Modal Lambda Calculi 273 


approach to a richer setting in which interacting modalities, substructural con- 
texts, and even Fitch-style natural deduction can be expressed”, but the increase 
in complexity is considerable and much work remains to be done. 


Further logics and algorithmic properties. We wish to bring more logics 
into the Fitch-style framework, in particular the logic of the later modality, 
extending IR with the strong Lob axiom (OA — A) — A. The obvious treatment 
of this axiom does not terminate. but Bahr et al. [3] suggest that this can be 
managed by giving names to locks. We would further like to develop calculi with 
multiple modalities. This is easy to do by assigning each modality its own lock; 
two IK modalities give exactly the intuitionistic tense logic of Goré et al. [22]. 
The situation is rather more interesting where the modalities interact, as with 
the later and constant modalities. Finally, we would like to further investigate 
algorithmic properties of Fitch-style calculi such as type checking, type inference, 
and 7-expansion and other notions of computation. In particular, we wonder if a 
notion of commuting conversion can be defined so that the calculi with @ enjoy 
the subformula property. 
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Abstract. We define a variant of Krivine realizability where realizers 
are pairs of a term and a substitution. This variant allows us to prove 
the normalization of a simply-typed call-by-need A-calculus with control 
due to Ariola et al. Indeed, in such call-by-need calculus, substitutions 
have to be delayed until knowing if an argument is really needed. We 
then extend the proof to a call-by-need A-calculus equipped with a type 
system equivalent to classical second-order predicate logic, representing 
one step towards proving the normalization of the call-by-need classical 
second-order arithmetic introduced by the second author to provide a 
proof-as-program interpretation of the axiom of dependent choice. 


1 Introduction 


1.1 Realizability-Based Normalization 


Normalization by realizability is a standard technique to prove the normalization 
of typed A-calculi. Originally introduced by Tait [36] to prove the normalization 
of System T, it was extended by Girard to prove the normalization of Sys- 
tem F [11]. This kind of techniques, also called normalization by reducibility or 
normalization by logical relations, works by interpreting each type by a set of 
typed or untyped terms seen as realizers of the type, then showing that the way 
these sets of realizers are built preserve properties such as normalization. Over 
the years, multiple uses and generalization of this method have been done, for a 
more detailed account of which we refer the reader to the work of Gallier [9]. 

Realizability techniques were adapted to the normalization of various calculi 
for classical logic (see e.g. [3,32]). A specific framework tailored to the study of 
realizability for classical logic has been designed by Krivine [19] on top of a A- 
calculus with control whose reduction is defined in terms of an abstract machine. 
In such a machinery, terms are evaluated in front of stacks; and control (thus 
classical logic) is made available through the possibility of saving and restoring 
stacks. During the last twenty years, Krivine’s classical realizability turned out 
to be fruitful both from the point of view of logic, leading to the construction of 
© The Author(s) 2018 
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new models of set theory, and generalizing in particular the technique of Cohen’s 
forcing [20-22]; and on its computational facet, providing alternative tools to the 
analysis of the computational content of classical programs?. 

Noteworthily, Krivine realizability is one of the approaches contributing to 
advocating the motto that through the Curry-Howard correspondence, with new 
programming instructions come new reasoning principles”. Our original motiva- 
tion for the present work is actually in line with this idea, in the sense that our 
long-term purpose is to give a realizability interpretation to dPA”, a call-by-need 
calculus defined by the second author [15]. In this calculus, the lazy evaluation 
is indeed a fundamental ingredient in order to obtain an executable proof term 
for the axiom of dependent choice. 


1.2 Contributions of the Paper 


In order to address the normalization of typed call-by-need A-calculus, we design 
a variant of Krivine’s classical realizability, where the realizers are closures 
(a term with a substitution for its free variables). The call-by-need -calculus 
with control that we consider is the Attwrxj-calculus. This calculus, that was 
defined by Ariola et al. [2], is syntactically described in an extension with explicit 
substitutions of the Ajji-calculus [6, 14,29]. The syntax of the Ayji-calculus itself 
refines the syntax of the A-calculus by syntactically distinguishing between terms 
and evaluation contexts. It also contains commands which combine terms and 
evaluation contexts so that they can interact together. Thinking of evaluation 
contexts as stacks and commands as states, the Ayji-calculus can also be seen 
as a syntax for abstract machines. As for a proof-as-program point of view, the 
App-calculus and its variants can be seen as a term syntax for proofs of Gentzen’s 
sequent calculus. In particular, the Ayj-calculus contains control operators which 
give a computational interpretation to classical logic. 

We give a proof of normalization first for the simply-typed Alwrx} calculus? , 
then for a type system with first-order and second-order quantification. While 
we only apply our technique to the normalization of the Atlwrs]-calculus, our 
interpretation incidentally suggests a way to adapt Krivine realizability to other 
call-by-need settings. This paves the way to the computational interpretation of 
classical proofs using lazy evaluation or shared memory cells, including the case 
of the call-by-need second order arithmetic dPA® [15]. 


1 See for instance [27] about witness extraction or [12,13] about specification problems. 
2 For instance, one way to realize the axiom of dependent choice in classical realizabil- 
ity is by means of an extra instruction quote [18]. 

Even though it has not been done formally, the normalization of the Aw-calculus pre- 
sented in [2] should also be derivable from Polonowski’s proof of strong normalization 
of the non-deterministic Ayji-calculus [35]. The Ai»-calculus (a big-step variant of the 
Atwors]-calculus introduced in Ariola et al.) is indeed a particular evaluation strat- 
egy for the Ayji-calculus, so that the strong normalization of the non-deterministic 
variant of the latter should imply the normalization of the former as a particular 
case. 
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2 The Awrs]-calculus 


2.1 The Call-by-Need Evaluation Strategy 


The call-by-need evaluation strategy of the A-calculus evaluates arguments of 
functions only when needed, and, when needed, shares their evaluations across all 
places where the argument is required. The call-by-need evaluation is at the heart 
of a functional programming language such as Haskell. It has in common with 
the call-by-value evaluation strategy that all places where a same argument is 
used share the same value. Nevertheless, it observationally behaves like the call- 
by-name evaluation strategy (for the pure A-calculus), in the sense that a given 
computation eventually evaluates to a value if and only if it evaluates to the same 
value (up to inner reduction) along the call-by-name evaluation. In particular, in 
a setting with non-terminating computations, it is not observationally equivalent 
to the call-by-value evaluation. Indeed, if the evaluation of a useless argument 
loops in the call-by-value evaluation, the whole computation loops, which is not 
the case of call-by-name and call-by-need evaluations. 

These three evaluation strategies can be turned into equational theories. For 
call-by-name and call-by-value, this was done by Plotkin through continuation- 
passing-style (CPS) semantics characterizing these theories [34]. For the call-by- 
need evaluation strategy, a specific equational theory reflecting the intensional 
behavior of the strategy into a semantics was proposed independently by 
Ariola and Felleisen [1], and by Maraist et al. [26]. A continuation-passing-style 
semantics was proposed in the 90s by Okasaki et al. [30]. However, this seman- 
tics does not ensure normalization of simply-typed call-by-need evaluation, as 
shown in [2], thus failing to ensure a property which holds in the simply-typed 
call-by-name and call-by-value cases. 

Continuation-passing-style semantics de facto gives a semantics to the exten- 
sion of \-calculus with control operators*. In particular, even though call-by- 
name and call-by-need are observationally equivalent on pure A-calculus, their 
different intentional behaviors induce different CPS semantics, leading to differ- 
ent observational behaviors when control operators are considered. On the other 
hand, the semantics of calculi with control can also be reconstructed from an 
analysis of the duality between programs and their evaluation contexts, and the 
duality between the let construct (which binds programs) and a control opera- 
tor such as Parigot’s u (which binds evaluation contexts). Such an analysis can 
be done in the context of the Auñ-calculus [6, 14]. 

In the call-by-name and call-by-value cases, the approach based on Auñ- 
calculus leads to continuation-passing style semantics similar to the ones given 
by Plotkin or, in the call-by-name case, also to the one by Lafont et al. [23]. 
As for call-by-need, in [2] is defined the j,-calculus, a call-by-need version of 
the Apfi-calculus. A continuation-passing style semantics is then defined via a 
calculus called Mier [2]. This semantics, which is different from Okasaki, Lee 
and Tarditi’s one [30], is the object of study in this paper. 


4 That is to say with operators such as Scheme’s callcc, Felleisen’s C, K, or A opera- 
tors [8], Parigot’s u and [ ] operators [31], Crolard’s catch and throw operators [5]. 
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2.2 Explicit Environments 


While the results presented in this paper could be directly expressed using the 
Aw-calculus, the realizability interpretation naturally arises from the decompo- 
sition of this calculus into a different calculus with an explicit environment, the 
Attwrx}-calculus [2]. Indeed, as we shall see in the sequel, the decomposition high- 
lights different syntactic categories that are deeply involved in the type system 
and in the definition of the realizability interpretation. 

The Atlwrx] calculus is a reformulation of the \z,-calculus with explicit envi- 
ronments, called stores and denoted by T. Stores consists of a list of bindings of 
the form [x := t], where x is a term variable and t a term, and of bindings of 
the form [a := e] where a is a context variable and e a context. For instance, 
in the closure cr[x := t]7’, the variable x is bound to t in c and 7’. Besides, the 
term t might be an unevaluated term (i.e. lazily stored), so that if x is eagerly 
demanded at some point during the execution of this closure, t will be reduced 
in order to obtain a value. In the case where t indeed produces a value V, the 
store will be updated with the binding [x := V]. However, a binding of this form 
(with a value) is fixed for the rest of the execution. As such, our so-called stores 
somewhat behave like lazy explicit substitutions or mutable environments. 

To draw the comparison between our structures and the usual notions of 
stores and environments, two things should be observed. First, the usual notion 
of store refers to a structure of list that is fully mutable, in the sense that the 
cells can be updated at any time and thus values might be replaced. Second, 
the usual notion of environment designates a structure in which variables are 
bounded to closures made of a term and an environment. In particular, terms 
and environments are duplicated, i.e. sharing is not allowed. Such a structure 
resemble to a tree whose nodes are decorated by terms, as opposed to a machinery 
allowing sharing (like ours) whose underlying structure is broadly a directed 
acyclic graph. See for instance [24] for a Krivine abstract machine with sharing. 


2.3 Syntax and Reduction Rules 


The lazy evaluation of terms allows for the following reduction rule: us to reduce a 
command (j.a.cl/jix.c’) to the command c’ together with the binding [x := ua.c]. 


pa.c|x.c ) > c |x := a.c 
~ f f u 


In this case, the term pa.c is left unevaluated (“frozen”) in the store, until 
possibly reaching a command in which the variable x is needed. When evaluation 
reaches a command of the form (x| Fyr[x := ya.c|r’, the binding is opened and 
the term is evaluated in front of the context A|z]. (x| Fr : 


(a|F)r[e := po.dr! > (ue.e|{ile).(e|FYr!)r 


The reader can think of the previous rule as the “defrosting” operation of the 
frozen term a.c: this term is evaluated in the prefix of the store 7 which predates 
it, in front of the context ñ|x]. (x| Fyr’ where the ñ[x] binder is waiting for a value. 
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Strong values v = àx.t | k 

Weak values Viu=vula 

Terms t,u ::= V | pa.c 

Forcing contexts Fu=t-El|«t 

Catchable contexts E ::= F | a | pla}. (£| Fyr 

Evaluation contexts e = E | pix.c 

Stores T = € | rie := t] | rla := E] 

Commands c ::= (tle) 

Closures l= cr 
(BETA) (Ax.t|u - Eyr > (ull fia. (t| Eyr 
(LET) {t|| fix.) > cr[x := t] 
(CATCH) (ua.c| Er > ctla := E] 
(LOoKuPa) (Vlla)tla := Er’ > (V|Eyrla := E]r’ 
(LooKuPz) (x|F)r[x := tr > (t\ [x] .(a| Fr’) 
(RESTORE) (V Ala] (a Fyrr > (V|EFyr[z := V]r’ 


Fig. 1. Syntax and reduction rules of the Ators)-calculus 


This context keeps trace of the part of the store 7’ that was originally located 
after the binding |x := ...]. This way, if a value V is indeed furnished for the 
binder /i[z], the original command (x| F} is evaluated in the updated full store: 


(Vi Ala] (a F)r)7 > (VIF) tle = Vr" 


The brackets in ji[x].c are used to express the fact that the variable x is forced 
at top-level (unlike contexts of the shape jix.C[(x||F)| in the Aw-calculus). The 
reduction system resembles the one of an abstract machine. Especially, it allows 
us to keep the standard redex at the top of a command and avoids searching 
through the meta-context for work to be done. 

Note that our approach slightly differ from [2] since we split values into two 
categories: strong values (v) and weak values (V). The strong values correspond 
to values strictly speaking. The weak values include the variables which force the 
evaluation of terms to which they refer into shared strong value. Their evaluation 
may require capturing a continuation. The syntax of the language, which includes 
constants k and co-constants «K, is given in Fig.1. As for the reduction —, we 
define it as the compatible reflexive transitive closure of the rules given in Fig. 1. 

The different syntactic categories can be understood as the different levels 
of alternation in a context-free abstract machine (see [2]): the priority is first 
given to contexts at level e (lazy storage of terms), then to terms at level t 
(evaluation of ua into values), then back to contexts at level Æ and so on until 
level v. These different categories are directly reflected in the definition of the 
abstract machine defined in [2], and will thus be involved in the definition of our 
realizability interpretation. We chose to highlight this by distinguishing different 
types of sequents already in the typing rules that we shall now present. 
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(k: X)ES T,x:Atet:B CNET Cov: A oy 
TF,k:X TF Ast: A> B TryeiA TFyv: AT? 
KAES o Pit: A Pre E: Bt (AET 
errr a l a 
T Frer: At T Hrt- E:(A—> B) Tera: At 
rhe F:A y DVA a Dartin y TEDA 
T Fg F: At FesviA PepociA The E: At 
T,u:Atec Tz: A, I" tr F: A~ rer: I" ; 

— =. aA (Al) 

T Fe jix.c: At T Hp jilz] (cl F)r : A+ i 
hit: A Pree: AT TI’ tee Perred y a 
I Fe (tlle) [Fi er DPhre:e 
Cher: I” PI’ tit:A Peeper DI Fe BE: At 

Cre) T 
I Fetes tT aA ' D+, tla:= E] : T',a : At ° 


Fig. 2. Typing rules of the Aer sj-calculus 


2.4 <A Type System for the Xwrs]-calculus 


We have nine kinds of (one-sided) sequents, one for typing each of the nine 
syntactic categories. We write them with an annotation on the F sign, using 
one of the letters v, V, t, F, E, e, l, c, T. Sequents typing values and terms are 
asserting a type, with the type written on the right; sequents typing contexts 
are expecting a type A with the type written A+; sequents typing commands 
and closures are black boxes neither asserting nor expecting a type; sequents 
typing substitutions are instantiating a typing context. In other words, we have 
the following nine kinds of sequents: 


Ti, 1 Th,t:A I Fe e: At 
Tree [ty V:A DTtpE: At 
Pee pel’ rv: A I Hp F: At 


where types and typing contexts are defined by: 
A,B:=X|A>B I ::=e|T,z:A|T,a: At 


The typing rules are given on Fig.2 where we assume that a variable x 
(resp. co-variable a) only occurs once in a context I (we implicitly assume the 
possibility of renaming variables by a-conversion). We also adopt the convention 
that constants k and co-constants K come with a signature S which assigns them 
a type. This type system enjoys the property of subject reduction. 


Theorem 1 (Subject reduction). [f Hı cr and er > dr then Dk, dr. 


Proof. By induction on typing derivations. 
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3 Normalization of the Xtwrsj-calculus 


3.1 Normalization by Realizability 


The proof of normalization for the Atturx}-calculus that we present in this section 
is inspired from techniques of Krivine’s classical realizability [19], whose nota- 
tions we borrow. Actually, it is also very close to a proof by reducibility®. In 
a nutshell, to each type A is associated a set |A| of terms whose execution is 
guided by the structure of A. These terms are the ones usually called realizers in 
Krivine’s classical realizability. Their definition is in fact indirect, and is done by 
orthogonality to a set of “correct” computations, called a pole. The choice of this 
set is central when studying models induced by classical realizability for second- 
order-logic, but in the present case we only pay attention to the particular pole 
of terminating computations. This is where lies one of the difference with usual 
proofs by reducibility, where everything is done with respect to SN, while our 
definition are parametric in the pole (which is chosen to be SN in the end). The 
adequacy lemma, which is the central piece, consists in proving that typed terms 
belong to the corresponding sets of realizers, and are thus normalizing. 

More in details, our proof can be sketched as follows. First, we generalize 
the usual notion of closed term to the notion of closed term-in-store. Intuitively, 
this is due to the fact that we are no longer interested in closed terms and 
substitutions to close opened terms, but rather in terms that are closed when 
considered in the current store. This is based on the simple observation that a 
store is nothing more than a shared substitution whose content might evolve 
along the execution. Second, we define the notion of pole lL, which are sets of 
closures closed by anti-evaluation and store extension. In particular, the set of 
normalizing closures is a valid pole. This allows to relate terms and contexts 
thanks to a notion of orthogonality with respect to the pole. We then define 
for each formula A and typing level o (of e,t, E, V, F,v) a set |Al, (resp. || All.) 
of terms (resp. contexts) in the corresponding syntactic category. These sets 
correspond to reducibility candidates, or to what is usually called truth values 
and falsity values in Krivine realizability. Finally, the core of the proof consists 
in the adequacy lemma, which shows that any closed term of type A at level 
o is in the corresponding set |A|,. This guarantees that any typed closure is in 
any pole, and in particular in the pole of normalizing closures. Technically, the 
proof of adequacy evaluates in each case a state of an abstract machine (in our 
case a closure), so that the proof also proceeds by evaluation. A more detailed 
explanation of this observation as well as a more introductory presentation of 
normalization proofs by classical realizability are given in an article by Dagand 
and Scherer [7]. 


3.2 Realizability Interpretation for the Awrx]-calculus 


We begin by defining some key notions for stores that we shall need further in 
the proof. 


5 See for instance the proof of normalization for system D presented in [17, Sect. 3.2]. 
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Definition 2 (Closed store). We extend the notion of free variable to stores: 


FV(e) £ 
FV(r|z:=t]) & FV(r)Uf{ye FV(t):y , dom(T)} 
FV (rja := E)) & FV(T)U{8 E€ FV(E): 6 ¢ dom(T)} 


so that we can define a closed store to be a store T such that FV (T) = 0. 


Definition 3 (Compatible stores). We say that two stores T and T’ are inde- 
pendent and write T #T' when dom(T) N dom(T') = 0. We say that they are com- 
patible and write T © T” whenever for all variables x (resp. co-variables a) present 
in both stores: x € dom(T) N dom(T'); the corresponding terms (resp. contexts) in 
T and 7’ coincide. Finally, we say that T’ is an extension of T and write T < T' 
whenever dom) C dom(T') and ToT. 

We denote by T7’ the compatible union join(r7’) of closed stores 7 and 7’, 
defined by: 


join(to[x := t]71, róle := tri) 4 ToT4(x := t]join(71, Ti) (if To #76) 
join(7,7’) & rtr (if 7 #7’) 
join(e, T) £ r 
join(7, £) £ r 


The following lemma (which follows easily from the previous definition) states 
the main property we will use about union of compatible stores. 


Lemma 4. If 7 and T’ are two compatible stores, then T < TT! and T! < TT. 
Besides, if T is of the form to[a := t]71, then TT’ is of the form 72[x := t|r3 with 
To <I T and Ti < T3. 


Proof. This follows easily from the previous definition. 


As we explained in the introduction of this section, we will not consider 
closed terms in the usual sense. Indeed, while it is frequent in the proofs of 
normalization (e.g. by realizability or reducibility) of a calculus to consider only 
closed terms and to perform substitutions to maintain the closure of terms, 
this only makes sense if it corresponds to the computational behavior of the 
calculus. For instance, to prove the normalization of Ax.t in typed call-by-name 
App-calculus, one would consider a substitution p that is suitable for with respect 
to the typing context I’, then a context u-e of type A — B, and evaluates: 


(Ax.tolu:e) — (tolu/z]le) 


Then we would observe that tp[u/x] = tpjz:=u] and deduce that pix := u] is 
suitable for T, x: A, which would allow us to conclude by induction. 

However, in the Attwrx}-calculus we do not perform global substitution when 
reducing a command, but rather add a new binding [x := u] in the store: 


(Ag.tlu: Eyr > (t|E)r[a := u] 
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Therefore, the natural notion of closed term invokes the closure under a store, 
which might evolve during the rest of the execution (this is to contrast with a 
substitution). 


Definition 5 (Term-in-store). We call closed term-in-store (resp. closed 
context-in-store, closed closures) the combination of a term t (resp. context e, 
command c) with a closed store T such that FV (t) C dom(r). We use the notation 
(t|r) (resp. (elr), (c|T)) to denote such a pair. 


We should note that in particular, if t is a closed term, then (t|r) is a term-in- 
store for any closed store T. The notion of closed term-in-store is thus a gener- 
alization of the notion of closed terms, and we will (ab)use of this terminology 
in the sequel. We denote the sets of closed closures by Co, and will identify (c|r) 
and the closure cr when c is closed in 7. Observe that if cr is a closure in Co and 
T’ is a store extending 7, then cr’ is also in Co. We are now equipped to define 
the notion of pole, and verify that the set of normalizing closures is indeed a 
valid pole. 


Definition 6 (Pole). A subset IL C Co is said to be saturated or closed by 
anti-reduction whenever for all (clr), (¢|7’) € Co, if dr’ € IL and cr > dT 
then cr € IL. It is said to be closed by store extension if whenever cr € IL, for 
any store T' extending T: T <7’, cr’ € IL. A pole is defined as any subset of Co 
that is closed by anti-reduction and store extension. 


The following proposition is the one supporting the claim that our realizabil- 
ity proof is almost a reducibility proof whose definitions have been generalized 
with respect to a pole instead of the fixed set SN. 


Proposition 7. The set Iy = {cr € Co: cr normalizes } is a pole. 


Proof. As we only considered closures in Co, both conditions (closure by anti- 
reduction and store extension) are clearly satisfied: 


— if er > C7’ and c’r’ normalizes, then cr normalizes too; 
— if cis closed in 7 and cr normalizes, if r < T’ then cr’ will reduce as cr does 
(since c is closed under 7, it can only use terms in 7’ that already were in 7) 
and thus will normalize. 


Definition 8 (Orthogonality). Given a pole 1L, we say that a term-in-store 
(t|r) is orthogonal to a context-in-store (e|r’) and write (t\r)1L(elr’) ifr and 7’ 
are compatible and (tle)t7’ € IL. 


Remark 9. The reader familiar with Krivine’s forcing machine [20] might recog- 


nize his definition of orthogonality between terms of the shape (t, p) and stacks 
of the shape (7,q), where p and q are forcing conditions®: 


(t, p) IL (a, q) & (tx 7,p Aq) EL 


6 The meet of forcing conditions is indeed a refinement containing somewhat the 
“anion” of information contained in each, just like the union of two compatible 
stores. 
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We can now relate closed terms and contexts by orthogonality with respect 
to a given pole. This allows us to define for any formula A the sets | A], |Alv, | Al: 
(resp. ||Allr,||Allz, ||Al].) of realizers (or reducibility candidates) at level v, V, 
t (resp. F, E, e) for the formula A. It is to be observed that realizers are here 
closed terms-in-store. 


Definition 10 (Realizers). Given a fixed pole IL, we set: 


X|y ={(kl7): Fk: xX} 

|A > Bj, = {(Aa.t|7) : Yur’, ToT A (ul7’) € Al, => (El77’[x := ul) € |Ble} 

Alle = {(F|r) : Vor’, rer A (ol7’) € Aly => (v]7’)IL(F|7)} 

Aly =4{(V|r): YEr, Ter A (FIr’) € ||Alle = (V|7)IL(FI7’)} 

Alle = {(Elr) VV 7,7 o7' A (Vir) € [Aly = (V|7/)IL(E|r)} 
= {(t|r) :VEr', ror’ A (Elr’) € || Alle > (t|7)IL(2|7’)} 

|Alle ={(elt) : Vir’, ToT A (tr^) € |Ale > (t]7’) 1L(el7)} 


Remark 11. We draw the reader attention to the fact that we should actually 
write |A|/, ||A||#, etc. and 7 Ik, I’, because the corresponding definitions are 
parameterized by a pole IL. As it is common in Krivine’s classical realizability, we 
ease the notations by removing the annotation LL whenever there is no ambiguity 
on the pole. Besides, it is worth noting that if co-constants do not occur directly 
in the definitions, they may still appear in the realizers by mean of the pole. 


If the definition of the different sets might seem complex at first sight, we 
claim that they are quite natural in regards of the methodology of Danvy’s 
semantics artifacts presented in [2]. Indeed, having an abstract machine in 
context-free form (the last step in this methodology before deriving the CPS) 
allows us to have both the term and the context (in a command) that behave 
independently of each other. Intuitively, a realizer at a given level is precisely 
a term which is going to behave well (be in the pole) in front of any opponent 
chosen in the previous level (in the hierarchy v, F,V, etc.). For instance, in a 
call-by-value setting, there are only three levels of definition (values, contexts 
and terms) in the interpretation, because the abstract machine in context-free 
form also has three. Here the ground level corresponds to strong values, and the 
other levels are somewhat defined as terms (or context) which are well-behaved 
in front of any opponent in the previous one. The definition of the different sets 
Alv, || Alle, |Alv, etc. directly stems from this intuition. 

In comparison with the usual definition of Krivine’s classical realizability, 
we only considered orthogonal sets restricted to some syntactical subcategories. 
However, the definition still satisfies the usual monotonicity properties of bi- 
orthogonal sets: 


Proposition 12. For any type A and any given pole IL, we have: 
1.|Aly € |Alv € [Ales 2. Alle € |[Allz  [lAlle. 


Proof. All the inclusions are proved in a similar way. We only give the proof for 
|Alə C |Aly. Let IL be a pole and (v|r) be in |A|,. We want to show that (v|7) 
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is in |Aly, that is to say that v is in the syntactic category V (which is true), 
and that for any (F|r’) € || A|| r such that To 7’, (v|r)IL(F|7’). The latter holds 
by definition of (F'|r’) € ||Al||r, since (v|T) € |Aly. 


We now extend the notion of realizers to stores, by stating that a store T 
realizes a context I" if it binds all the variables x and a in T to a realizer of the 
corresponding formula. 


Definition 13. Given a closed store T and a fixed pole IL, we say that T realizes 
I, which we write’ TIH T, if: 


1. for any (x: A) E T, T= Tolz := t]™ and (t|ro) € | Al: 
2. for any (a: At) E T, T = mla := Elm and (E\ro) € ||Allz 


In the same way than weakening rules (for the typing context) are admissible 
for each level of the typing system: 
THt:A Por Pree: A+ POT Phr: I" Por 
I”tit:A I’ He e: At ibe rer! 


the definition of realizers is compatible with a weakening of the store. 


Lemma 14 (Store weakening). Let 7 andr’ be two stores such that T <7’, 
let I’ be a typing context and let 1L be a pole. The following statements hold: 


1. Tr =r 

2. If (tir) € |Ale for some closed term (t|T) and type A, then (t\r’) € |Ale. 
The same holds for each level e, E, V, F,v of the typing rules. 

3. If rir then cr’ lr lr. 


Proof. 1. Straightforward from the definition of T7’. 

2. This essentially amounts to the following observations. First, one remarks that 
if (t|T) is a closed term, so then so is (¢|r7’) for any closed store 7’ compatible 
with T. Second, we observe that if we consider for instance a closed context 
(E|r”) € ||Allz, then 77’ 07” implies to 7”, thus (¢|7)IL(E|r”) and finally 
(t|r7’)1L(E|r”) by closure of the pole under store extension. We conclude 
that (¢|r’)IL(E|7”) using the first statement. 

3. By definition, for all (x : A) € I, 7 is of the form Tolz := t]r such that 
(t|t>) € |All. As T and 7’ are compatible, we know by Lemma 4 that 77’ is 
of the form rf := t]ri with 7) an extension of 79, and using the first point 
we get that (trå) € |Alz. 


Definition 15 (Adequacy). Given a fixed pole 1L, we say that: 


— A typing judgment I’ F+ t: A is adequate (w.r.t. the pole 1L) if for all stores 
TIFT’, we have (t|r) € | Ale. 


T Once again, we should formally write 7 Iki I but we will omit the annotation by IL 
as often as possible. 
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— More generally, we say that an inference rule 


Jio ss Ja 
Jo 


is adequate (w.r.t. the pole 1L) if the adequacy of all typing judgments 
Ji,..., Jn implies the adequacy of the typing judgment Jo. 


Remark 16. From the latter definition, it is clear that a typing judgment that is 
derivable from a set of adequate inference rules is adequate too. 


We will now show the main result of this section, namely that the typing 
rules of Fig. 2 for the Altura] -calculus without co-constants are adequate with any 
pole. Observe that this result requires to consider the Attwrx}-calculus without 
co-constants. Indeed, we consider co-constants as coming with their typing rules, 
potentially giving them any type (whereas constants can only be given an atomic 
type). Thus, there is a priori no reason® why their types should be adequate with 
any pole. 

However, as observed in the previous remark, given a fixed pole it suffices 
to check whether the typing rules for a given co-constant are adequate with 
this pole. If they are, any judgment that is derivable using these rules will be 
adequate. 


Theorem 17 (Adequacy). If I is a typing context, IL is a pole and T is a 
store such that TIF I’, then the following holds in the Ator, -calculus without 
co-constants: 


If v is a strong value such that I F, v : A, then (v|r) € |Aļv. 

If F is a forcing context such that I Fp F : At, then (Fr) € ||Alle- 
If V is a weak value such that I Fy V : A, then (V|r) € |Alv. 

If E is a catchable context such that 0 +g E : At, then (E|r) € ||Allr. 
Ift is a term such that DF, t: A, then (t|7) € |Alz. 

If e is a context such that I Fe e: A+, then (e|r) € Alle. 

Ifc is a command such that I Fe c, then cr € IL. 
If 7’ is a store such that P+, 7': I", then rr’ lk T, I". 


PRA Gris So MH 


Proof. The different statements are proved by mutual induction over typing 
derivations. We only give the most important cases here. 


Rule (—;). Assume that 


Thriu:A Pre Bb: BY 
TFru E:(A> B} ` 


and let IL be a pole and 7 a store such that 7 I- I. Let (Ax.t|r’) be a closed 
term in the set |A — B|, such that To 7’, then we have: 


(Av.tlu: ETT > (ullie.(t|E))t > (t|EyYrr|e := u] 


8 Think for instance of a co-constant of type (A > B)*}, there is no reason why it 
should be orthogonal to any function in |A > Bly. 
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By definition of |A — B|,, this closure is in the pole, and we can conclude by 
anti-reduction. 


Rule (z). Assume that 


(ce: A)ET 
Ihya:A (=) 


and let IL be a pole and 7 a store such that 7 I- P. As (x : A) € T, we know 
that 7 is of the form 7o|x := t]71 with (tro) € |Alz. Let (F|7’) be in ||Al|r, with 


TOT’. By Lemma 4, we know that 77’ is of the form mọle := t]77. Hence we 
have: 


(z|F)7o[e := tmr —> (täl). (xE) To 


and it suffices by anti-reduction to show that the last closure is in the pole IL. 
By induction hypothesis, we know that (t|ro) € |A|: thus we only need to show 
that it is in front of a catchable context in ||A||~. This corresponds exactly to 
the next case that we shall prove now. 


Rule (ji!!). Assume that 


T,c:A,l'tpF:A T,x: Abr’: I’ 
I Fp pla}.(c|P)r': A 


(al) 


and let IL be a pole and 7 a store such that 7 lk I. Let (V|7) be a closed term 
in |A|y such that To © r. We have that: 


(Vaz) (2|P)r or > (VF )toT [x := V]r' 


By induction hypothesis, we obtain t[z := V]r’ l- I[,a : A,I’. Up to a 
conversion in F and 7’, so that the variables in 7’ are disjoint from those in 79, we 
have that 77 I- I (by Lemma 14) and then 7” £ 797 [2 := V]r' IK T,a2: A, I". 
By induction hypothesis again, we obtain that (F|r”) € ||Al|r (this was an 
assumption in the previous case) and as (V|7o) € |Alv, we finally get that 
(V|7o)IL(F'|7”) and conclude again by anti-reduction. 


Corollary 18. If cr is a closure such that F; cr is derivable, then for any pole 
IL such that the typing rules for co-constants used in the derivation are adequate 
with IL, er © IL. 


We can now put our focus back on the normalization of typed closures. As 
we already saw in Proposition 7, the set lL of normalizing closure is a valid 
pole, so that it only remains to prove that any typing rule for co-constants is 
adequate with ly. 


Lemma 19. Any typing rule for co-constants is adequate with the pole Iy, i.e. 
if I’ is a typing context, and T is a store such that T |F I’, if k is a co-constant 
such that I Fp r : At, then (K|r) € |All r. 
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Proof. This lemma directly stems from the observation that for any store 7 and 
any closed strong value (v|r’) € |Alv, (u||&)77/ does not reduce and thus belongs 
to the pole Ily. 


As a consequence, we obtain the normalization of typed closures of the full 
calculus. 


Theorem 20. /f cr is a closure of the Atwrxj-calculus such that F; cr is deriv- 
able, then cr normalizes. 


This is to be contrasted with Okasaki, Lee and Tarditi’s semantics for the 
call-by-need A-calculus, which is not normalizing in the simply-typed case, as 
shown in Ariola et al. [2]. 


3.3 Extension to 2"¢-Order Type Systems 


We focused in this article on simply-typed versions of the Xj, and Alors] calculi. 
But as it is common in Krivine classical realizability, first and second-order 
quantifications (in Curry style) come for free through the interpretation. This 
means that we can for instance extend the language of types to first and second- 
order predicate logic: 


€1,€2 ae | F ererek) 
A,B := X(e1,...,en)| A > B | Yz.A | YX.A 


We can then define the following introduction rules for universal quantifica- 
tions: 
r, v:A «€ FV(L) Thyv:A X¢FV(I) 


(V) 
I Fy v: YVr.A rH, v:YX.A 


(vr) 


Observe that these rules need to be restricted at the level of strong values, just 
as they are restricted to values in the case of call-by-value®. As for the left rules, 
they can be defined at any levels, let say the more general e: 


I Fe e: (Aln/a])+ I Fe e: (A[B/X])+ 


vi Vi 
I He e: (Yx. A)} ta I Fe e: (YX.A)} n 


where n is any natural number and B any formula. The usual (call-by-value) 
interpretation of the quantification is defined as an intersection over all the 
possible instantiations of the variables within the model. We do not wish to 
enter into too many details!° on this topic here, but first-order variable are to 
be instantiated by integers, while second order are to be instantiated by subset 
of terms at the lower level, i.e. closed strong-values in store (which we write Vo): 


vx.Aly = f) |Aln/a]le VXAb= N MSX 
neN SENK>P(Vo) 


° For further explanation on the need for a value restriction in Krivine realizability, 
we refer the reader to [29] or [25]. 
10 Once again, we advise the interested reader to refer to [29] or [25] for further details. 
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where the variable X is of arity k. It is then routine to check that the typing 
rules are adequate with the realizability interpretation. 


4 Conclusion and Further Work 


In this paper, we presented a system of simple types for a call-by-need calculus 
with control, which we proved to be safe in that it satisfies subject reduction 
(Theorem 1) and that typed terms are normalizing (Theorem 20). We proved 
the normalization by means of realizability-inspired interpretation of the Altvra]- 
calculus. Incidentally, this opens the doors to the computational analysis (in 
the spirit of Krivine realizability) of classical proofs using control, laziness and 
shared memory. 

In further work, we intend to present two extensions of the present paper. 
First, following the definition of the realizability interpretation, we managed to 
type the continuation-and-store passing style translation for the Attwrxj-calculus 
(see [2]). Interestingly, typing the translation emphasizes its computational con- 
tent, and in particular, the store-passing part is reflected in a Kripke forcing-like 
manner of typing the extensibility of the store [28, Chap. 6]. 

Second, on a different aspect, the realizability interpretation we introduced 
could be a first step towards new ways of realizing axioms. In particular, the 
first author used in his Ph.D. thesis [28, Chap. 8] the techniques presented in 
this paper to give a normalization proof for APA“, a proof system developed by 
the second author [15]. Indeed, this proof system allows to define a proof for the 
axiom of dependent choice thanks to the use of streams that are lazily evaluated, 
and was lacking a proper normalization proof. 

Finally, to determine the range of our technique, it would be natural to inves- 
tigate the relation between our framework and the many different presentations 
of call-by-need calculi (with or without control). Amongst other calculi, we could 
cite Chang-Felleisen presentation of call-by-need [4], Garcia et al. lazy calculus 
with delimited control [10] or Kesner’s recent paper on normalizing by-need 
terms characterized by an intersection type system [16]. To this end, we might 
rely on Pédrot and Saurin’s classical by-need [33]. They indeed relate (classi- 
cal) call-by-need with linear head-reduction from a computational point of view, 
and draw the connections with the presentations of Ariola et al. [2] and Chang- 
Felleisen [4]. Ariola et al. Aw-calculus being close to the Apyrsj-calculus (see [2] 
for further details), our technique is likely to be adaptable to their framework, 
and thus to Pédrot and Saurin’s system. 
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Abstract. Higher inductive types (HITs) in Homotopy Type Theory 
allow the definition of datatypes which have constructors for equalities 
over the defined type. HITs generalise quotient types, and allow to define 
types with non-trivial higher equality types, such as spheres, suspensions 
and the torus. However, there are also interesting uses of HITs to define 
types satisfying uniqueness of equality proofs, such as the Cauchy reals, 
the partiality monad, and the well-typed syntax of type theory. In each of 
these examples we define several types that depend on each other mutu- 
ally, i.e. they are inductive-inductive definitions. We call those HITs quo- 
tient inductive-inductive types (QUTs). Although there has been recent 
progress on a general theory of HITs, there is not yet a theoretical founda- 
tion for the combination of equality constructors and induction-induction, 
despite many interesting applications. In the present paper we present a 
first step towards a semantic definition of QUTs. In particular, we give an 
initial-algebra semantics. We further derive a section induction principle, 
stating that every algebra morphism into the algebra in question has a 
section, which is close to the intuitively expected elimination rules. 


1 Introduction 


This paper is about type theory in the sense of Martin-Lof [29], a theory which 
proof assistants such as Coq [7] and Lean [14] as well as programming languages 
such as Agda [31] and Idris [8] are based on. Recently, Homotopy type theory 
(HoTT) [34] has been introduced inspired by homotopy theoretic interpretations 
of type theory by Awodey and Warren [5] and Voevodsky [25,36]. 

A central concept in type theory is the concept of inductive definitions, which 
allows us to define inductive datatypes like the natural numbers, lists and trees 
just by presenting constructors with strictly positive occurrences of the inductive 
type being defined. Using the propositions as types explanation, we can use the 
same mechanism to inductively define predicates and relations, like an order on the 
natural numbers, or the derivability predicate for a logic defined by rules. Concep- 
tually, HoTT changes what we mean by an inductive definition, because we view 
a type not only as given by its elements (points) but also by its equality proofs 
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(paths). Hence an inductive definition may not only feature constructors for ele- 
ments but also for equalities. This concept of higher inductive types (HITs) has 
been used to represent the homotopical structure of geometric objects, like circles, 
spheres and tori, and gives rise to synthetic homotopy theory in HoTT [32]. 

However, as already noted in the HoTT Book [34], HITs have also more quo- 
tidian applications, such as a definition of the Cauchy reals for which the use 
of the axiom of choice can be avoided when proving e.g. Cauchy completeness. 
Instead of defining the real numbers as a quotient of sequences of rationals, a HIT 
is used to define them as the Cauchy completion of the rational numbers, with 
the quotienting happening simultaneously with the completion definition. Simi- 
larly, a definition of the partiality monad, which represents potentially diverging 
operations over a given type, was given using a HIT [2,13,35], again avoiding 
the axiom of choice when showing e.g. that the construction is a monad [12]. 

As we see from these examples, the idea of generating points and equalities of 
a type inductively is interesting, even if we do not care about the higher equality 
structure of types, or if we do not want it. For example: consider trees branching 
over an arbitrary type A, quotiented by arbitrary permutations of subtrees. We 
first define the type To(A) of A-branching trees, given by the constructors 


leafo : To(A) 
nodeg ` (A =} To(A)) = To(A). 


We then form the binary relation R on To(A) that we want to quotient by 
as follows: R is the smallest relation such that for any auto-equivalence on A 
(i.e. any e : A — A which has an inverse) and f : A — To(A), we have a 
proof Pf e : R(nodeo( f), nodeo(f o e)), and, secondly, for g,h : A — To( A) such 
that (n : A) — R(g(n), h(n)), we have a proof cf, : R(nodeo(g), nodeo(h)). We 
can then form the quotient type To(A)/R, which is the type of unlabelled trees 
where each node has an A-indexed family of subtrees, and two trees which agree 
modulo the “order” of its subtrees are equal. For A = 2, these are binary trees 
where the order of the two subtrees of each node does not matter. 

Now, morally, from a family A — (Zpo(A)/R), we should be able to construct 
an element of the quotient To(A)/R. This is indeed possible if A is 2 or another 
finite type, by applying the induction principle of the quotient type A times. 
However, it seems that, for a general type A, this would require the axiom of 
choice [34], which unfortunately is not a constructive principle [15]. But using 
a higher inductive type, we can give an alternative definition for the type of 
A-branching trees modulo permutation of subtrees. 


Example 1. Given a type A, we define T(A) : hSet by 
leaf: T(A) 
node: (A > T(A)) > T(A) 
mix: (f:A— T)-— (e: A&A) — node(f) = node(f oe). 


Note that the fact that T(A) is a homotopy set (see preliminaries below) 
is implicitly included in the statement T(A) : hSet. The construction we were 
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looking for is now directly given by the constructor node. This demonstration of 
the usefulness of higher inductive constructions to increase the strength of quo- 
tients was first discussed in Altenkirch and Kaposi [1], where such set-truncated 
HITs are called quotient inductive types (QITs). 

Another example of the use of higher inductive types is type theory in type 
theory [1], where the well-typed syntax of type theory is implemented as a higher 
inductive-inductive [30] type in type theory itself. A significantly simplified ver- 
sion of this will serve as a running example for us: 


Example 2. We define the syntax of a (very basic) type theory by constructing 
types representing contexts and types as follows. A set Con : hSet and a type 
family Ty : Con > hSet are simultaneously defined by giving the constructors 


E: Con 

ext (I : Con) > Ty(T) > Con 

L: (I : Con) > Ty(T) 

o: (I : Con) > (A: Ty(T)) > Ty(ext I A) > Ty(T) 
Teq (T : Con) > (A: Ty(T)) > (B : Ty(ext I A)) 


— ext (ext A) B =con ext I (o FAB). 


For simplicity, we do not consider terms. Contexts are either empty €, or 
an extended context ext l'A representing the context I” extended by a fresh 
variable of type A. Types are either the base type v (well-typed in any context), 
or 5/-types represented by o I’ A B (well-typed in context I if A is well-typed in 
context I’, and B is well-typed in the extended context ext’ A). Type theory 
in type theory as in [1] has plenty of equality constructors, which play a role 
as soon as terms are introduced. To keep the example simple we instead use 
another equality, stating that extending a context by A followed by B is equal 
to extending it by of’ AB. This equality is given by eq. Note that it is not 
possible to list the constructors of Con and Ty separately: due to the mutual 
dependency, the Ty-constructor ø has to be given in between of the two Con- 
constructors ext and d¢q. 


Despite a lot of work making use of concrete HITs [4,9-11,23,26,27], and 
despite the fact that it is usually — on some intuitive level — clear for the 
expert how the elimination principle for such a HIT can be derived, giving a 
general specification and a theoretical foundation for HITs has turned out to 
be a major difficulty. Several approaches have been proposed [6, 18, 28,33], and 
they do indeed give a satisfactory specification of HITs in the sense that they 
cover all HITs which have been used so far (see related work below). However, 
to the best of our knowledge, no approach covers higher inductive-inductive def- 
initions such as Example 2. The purpose of the current paper is to remedy this. 
We restrict ourselves to sets, i.e. to quotient inductive-inductive types (QUITs). 
This is of course a serious restriction, since it means that we cannot capture 
many ordinary HITs such as e.g. the circle St. At the same time, all higher 
inductive-inductive types that we know of are indeed sets — the Cauchy reals, the 
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surreal numbers, the partiality monad, type theory in type theory, permutable 
trees — and will be instances of our framework, which allows arbitrarily compli- 
cated dependency structures. In particular, we allow intermixing of constructors 
as in Example 2. 


Contributions. We give a formal specification of quotient inductive-inductive 
types with arbitrary dependency structure. This can be viewed as the general- 
isation of the usual semantics of inductive types as initial algebras of a func- 
tor to quotient inductive-inductive types. A QUIT is specified by (i) its sorts, 
which encode the types and type families that it consists of (Sect.2), and (ii) 
by a sequence of constructors, that in turn are specified by argument and tar- 
get functors (Sect.3). This is a very general framework, covering in particular 
point (Sect. 3.2) and path constructors (Sect. 3.4). Each constructor specification 
gives rise to a category of algebras, and we establish conditions on the target 
functors that allow us to conclude that these categories of algebras are complete 
(Sect. 3.5). This is important, because it allows us to prove the equivalence of 
initiality and a principle that we call section induction (Sect.4), stating that 
every algebra morphism into the algebra in question has a section; this principle 
is close to the intuitively expected elimination rules. 

A full version of the paper, including all proofs, is available on the arXiv [3]. 


Related Work. Sojakova [33] shows the correspondence between initiality and 
induction (a variant of our Theorem 31) for W-suspensions, a restricted class 
of HITs. Basold, Geuvers and van der Weide [6] introduce a syntactic schema 
for HITs without higher path constructors, and derive their elimination rules. 
Dybjer and Moeneclaey [18] give a syntactic schema for finitary HITs with at 
most paths between paths, and give an interpretation in Hofmann and Streicher’s 
groupoid model [22]. Finally, Lumsdaine and Shulman’s work on the semantics 
of HITs in model categories [28] is similar to an external version of our approach. 


Preliminaries. We work in a standard Martin-Lof style type theory and assume 
function extensionality. We do not assume univalence, but also do not contradict 
it; in particular, everything we do works in the type theory from the HoTT 
Book [34]. We write U for “the” universe of types, omitting universe indices 
in the typical ambiguity style [21]. A type is a set if all its equality proofs are 
equal, and hSet is defined as X(A : U).is-set(A); we implicitly treat elements of 
hSet as their first projections — this allows us to view hSet as a universe. By a 
category, we mean a precategory [34, Definition 9.1.1] in the sense of the HoTT 
Book (all our categories become univalent categories if univalence is assumed). 
We write C => D for functors and X — Y for functions between types. We 
denote the obvious category of sets and functions by hSet as well; consequently, 
F : A — hSet denotes a type family, while F : C = hSet denotes a functor. For 
such a functor F : C => hSet, we write (oe for the category of elements of F, 
whose objects are pairs (X, x) of an object X in C and an element x: FX. Fora 
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function f : X > Y and z,w: X, we write ap f : z =w —> f(z) = f(w) for the 
usual “action of a function to paths”, T! : « = y —> y = « for “path reversal”, 
and " : z = y > y = z —> q = z for “path concatenation” [34, Lemmas 2.2.1, 
2.1.1, 2.1.2]. 


2 Sorts 


Single inductive (and quotient inductive) sets are simply elements of hSet. Induc- 
tive families [17] indexed over some fixed type A are families A — hSet. For the 
inductive-inductive definitions we are considering, the situation is more compli- 
cated, since we allow very general dependency structures. Our only requirement 
is that there is no looping dependency, since this is easily seen to lead to contra- 
dictions, e.g. we do not allow the definition of a family A: B — hSet mutually 
with a family B : A — hSet (whatever this would mean). Concretely, we will 
ensure that the collection of type formation rules (the type signatures) is given 
in a valid order, and we refer to the types used as family indices as the sorts of 
the definition. Hence our first step towards a specification of general QIITs is to 
explain what a valid specification of the sorts is. 

Sorts do not only determine the formation rules of the inductive definitions, 
but also the types of the eliminators. To capture this, it is not enough to specify 
a type of sorts — in order to take the shape of the elimination rules into account, 
we need to specify a category. 


Definition 3 (Sort specifications). A specification of the sorts of a quotient 
inductive-inductive definition of n types is given by a list 


Ho, My,...,Hn-1, 


where each H; is a functor H; : Ci = hSet. Here, Co := 1 is the terminal category, 
and Ci+ı is defined as follows: 


— objects are pairs (X, P), where X is an object in Ci, and P : H;(X) — hSet 
is a family of sets; 

- a morphism (f,g) : (X, P) — (Y,Q) consists of a morphism f : X >Y in Cj, 
and a dependent function g : (x : H;(X)) —> P(x) > Q(H;( f) x) (in hSet). 


We say that Cn is the base category for the sort signature Ho,...,Hn-1. 


The following examples will hopefully make clear the connection between the 
specification in Definition 3 and common classes of data types. 


Example 4 (Permutable trees). For a single inductive type such as the type of 
trees T(A) in Example 1, the sorts are specified by a single functor Hp : Co > 
hSet which maps the single object x of Cg to the unit type 1. Objects in the 
base category Cı are thus pairs (x,W), where W : 1 — hSet, and morphisms 
are given by f : x — x in 1 (necessarily the identity morphism), together with 
a dependent function g : (x : 1) => W(x) — V(x). It is easy to see that this 
category Cı is equivalent to the category hSet. 
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Example 5 (The finite types). Consider the inductive family Fin : N — hSet of 
finite types. Again, this is a single type family, i.e. we are in the case n = 1. 
We have Ho(x) := N, and the base category Cı is equivalent to the category 
of N-indexed families, where objects are families X : N — hSet and morphisms 
Ci(X,Y) are dependent functions f : (n : N) > X(n) > Y (n). 


Example 6 (Contexts and types). Let us consider the QUT (Con, Ty) from Exam- 
ple 2. Here, we need two functors Ho, H1, the first corresponding to Con and the 
second to Ty. The first is given by Ho(x) := 1 as in Example 4, since Con is a type 
on its own. Next, we need Hı : C; = hSet. Applying the equivalence between 
Cı and hSet established in Example4, we define H, to be the identity functor 
H(A) := A, since then Ty : Hi(Con) — hSet. The base category C2 is equiva- 
lent to the category Fam(hSet), whose objects are pairs (A, B) where A : hSet 
and B : A — hSet, and whose morphisms (A, B) to (A’, B’) consist of functions 
f: A— A together with dependent functions g : (x : A) > B(x) > B’(f x). 


Example 7 (the Cauchy reals). Recall that the Cauchy reals in the HoTT 
book [34] are constructed by simultaneously defining R : hSet and ~: R x R > 
hSet (we ignore the fact that [34] uses U instead of hSet). This time the sorts 
Ho, H, are given by Ho(x) := 1 and H(A) := A x A, corresponding to the 
fact that ~ is a binary relation on R. The base category has (up to equivalence) 
pairs (X,Y) with Y : X x X — hSet as objects, and morphisms are defined 
accordingly. 


Example 8 (The full syntax of type theory). Altenkirch and Kaposi [1] give the 
complete syntax of a basic type theory as a (at that point unspecified) QIIT. 
Although this construction is far too involved to be treated as an example in 
the rest of this paper (where we prefer to work with the simplified version of 
Example 2), we can give the sort signature Ho, H1, H2, H3 of this QUIT. Apart 
from contexts Con and types Ty, this definition also involves context morphisms 
Tms and terms Tm: 


Con : hSet Tms : Con x Con —> hSet 
Ty: Con — hSet Tm: (X(T : Con).Ty(L)) — hSet. 
We have: 
Ho(x):=1 Cı = hSet as in Example 4; 
Hı(A):=A C2 = Fam(hSet) as in Example 6; 
H2(A,B):=AxA_ Cz has objects (A, B,C), where C : A x A — hSet; 
H3(A,B,C):= SAB Cz has objects (A, B,C, D), where D : (XAB) — hSet. 


Remark 9. Although we work in type theory also in the meta-theory, we give 
the presentation informally in natural language. Formally, the specification of 
sorts and base categories of Definition 3 can be defined as an inductive-recursive 
definition [19] of the list Ho,...,H, simultaneously with a function that turns 
such a list into a category. Details can be found in Dijkstra’s thesis [16, Sect. 4.3]. 
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The main result of this section states that base categories of sort signatures 
are complete, i.e. have all small limits. By a small limit, we mean a limit of a 
diagram D : T — C, where the shape category Z has a set of objects, and the 
collection of morphisms between any two objects is a set. This result will be 
needed later to show that categories of QIIT algebras are complete. Recall that 
hSet has all small limits by a standard construction. 


Theorem 10 (Base categories are complete). For any sort signature Ho, 
.., Hn—1, the corresponding base category Cn has all small limits. 


Proof. All proofs can be found in the arXiv version of the paper [3]. 


3 Algebras 


Once the sorts of an inductive definition have been established, the next step is to 
specify the constructors. In this section, we will give a very general definition of 
constructor specifications, although we will mainly focus on two specific kinds: 
point constructors, which can be thought of as the operations of an algebraic 
signature, and path constructors, which correspond to the axioms. 

Similarly to how sorts are specified inductively in Sect. 2, we construct suit- 
able categories of algebras by starting with a finitely complete category C such 
as the one obtained from a sort signature, specify a constructor on C, and then 
extend C using this constructor specification to get a new finitely complete cate- 
gory C’. This process is repeated until all constructors have been added, and we 
obtain the sought-after inductive type as the underlying set of an initial object 
of the category at the last stage, provided this initial object exists. In the case of 
the inductive definition of natural numbers, this process will turn out as follows: 


— we start with hSet as our base category (only one trivial sort, as in Example 4); 

— we add a point constructor for the constant corresponding to 0; the category 
of algebras at this stage is the category of pointed sets; 

— we add a second point constructor for the operation corresponding to suc; 
the category of algebras at this stage is the category of sets equipped with a 
point and a unary operation; 

— the set of natural numbers, together with its usual structure, can now be 
regarded as an initial object in the category of algebras just constructed. 


3.1 Relative Continuity and Constructor Specifications 


Roughly speaking, constructors at each stage are given by pairs of hSet-valued 
functors F and G on C, where G is continuous (i.e. preserves all small limits). 
The intuition is that F specifies the arguments of the constructor, while G 
determines its target. For instance, in the example of the natural numbers when 
specifying the constructor suc : N — N, C is the category of pointed sets, and 
both F and G are the forgetful functor to hSet. The continuity condition on G 
is needed for the corresponding category of algebras to be complete. Intuitively, 
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this expresses that a constructor should only “construct” elements of one of the 
sorts, or equalities thereof. In particular, a constant functor is usually not a 
valid choice for G. 

Unfortunately, this simple description falls short of capturing many of the 
examples of QIITs mentioned in Sect. 1. The problem is that we want G to be 
able to depend on the elements of F. However, since F is assumed to be an 
arbitrary functor, its category of elements is not necessarily complete, and so we 
need to refine the notion of G being continuous to this case. 


Definition 11 (Relative continuity). Let C be a category, Co a complete 
category, and U : C = Co a functor. If I is a small category, and X : I —> C 
is a diagram, we say that a cone A — X inC is a U-limit cone, or limit cone 
relative to U, if the induced cone UA — UX is a limit cone in Co. A functor 
C = hSet is continuous relative to U if it maps U-limit cones to limit cones in 
hSet. 


In the special case Co = hSet, the functor U in Definition 11 is continuous 
relative to itself. Also note that if C is complete and U creates limits, then 
relative continuity with respect to U reduces to ordinary continuity. If C is a 
complete category, and F : C = hSet is an arbitrary functor, the category f °F 
of elements of F is equipped with a forgetful functor into C. We will implicitly 
consider relative limit cones and relative continuity with respect to this forgetful 
functor, unless specified otherwise. Note that if C is complete and F is continuous, 
then f °F is also complete, and relative continuity of functors on f °F is the same 
as continuity, as observed above. 

We can now give a precise definition of what is needed to specify a 
constructor: 


Definition 12 (Constructor specifications). A constructor specification on 
a complete category C is given by: 


— a functor F : C = hSet, called the argument functor of the specification; 
— a relatively continuous functor G : JÎF => hSet, called the target functor. 


Given a constructor specification, we can define the corresponding category 
of algebras. In Theorem 25, we will see that the assumptions of Definition 12 
guarantee that this category is complete. 


Definition 13 (Category of algebras). Let (F,G) be a constructor specifi- 
cation on a complete category C. The category of algebras of (F,G) is denoted 
C.(F,G), and is defined as follows: 


1 More concretely, elements of a sort correspond to representable functors for algebras 
over a single generator for that sort, while equalities correspond to algebras with no 
generators and the given equality as the only relation. Clearly, representable functors 
are continuous, and the converse holds for reasonable functors (e.g. accessible ones). 
However, we do not attempt to make this construction precise here, and the following 
results do not depend on it. 
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— objects are pairs (X,0), where X is an object of C, and0 : (x : FX) > G(X, x) 
is a dependent function (in hSet); 

- morphisms (X,0) — (Y, Y) are given by morphisms f : X > Y inC, with the 
property that for alla: FX, 


PEC) £) = G(F)(0 x), 
where f : (X, x) > (Y, F(f) x) is the morphism in JEF determined by f. 


We think of C.(F, G) as a category of “dependent dialgebras” [20]. Note that 
there is an obvious forgetful functor C.(F,G) > C. 

Similarly to how we defined sort specifications (Definition 3), we now have 
all the necessary notions in place to be able to give the full definition of a QUIT. 


Definition 14 (QUIT descriptions). A QIIT description is given by 


— a sort specification Ho,..., Hn-1; 

— alist of constructor specifications (Fo,Go),.--,(Fn—1,Gn—1) on Bo,...,Bn—1 
respectively, where Bo is the base category of the given sort specification, and 
Bj+1 is the category of algebras of (F;, Gj). 


For Definition 14 to make sense, the categories B; need to be complete, 
since constructor specifications are only defined on complete categories. This 
will follow from Theorem 25. 


Example 15 (Permutable trees). The constructor leaf : T(A) from Example 1 


can be specified by functors Fo : hSet = hSet and Go : f pa zi hSet, where 
Fo(X) := 1 and Go(X, 1) := X. Note how Fo specifies the (trivial) arguments of 
leaf, and Go the target. Next the constructor node : (A — T(A)) > T(A) can be 
specified by functors Fı : hSet, = hSet and G; : JSF, => hSet, where hSet, 
is the category of pointed sets (we think of the point as the previous constructor 


leaf): Fy and Gj are defined as F\(X,1) := A — X and G(X, 1, f) := X, so that 
node: (f : F\(T(A), leaf)) — Gi(T(A), leaf, f). 


Theorem 18 will show that Go and G are relatively continuous. 

The corresponding category of algebras for this constructor specification 
(Fi, G1) for node is equivalent to the category whose objects are triples (X, I, n) 
where X : hSet, 1: A, and n : (A —> X) > X. After specifying also the mix- 
constructor, the new category of algebras further contains a dependent function 
p: (F: A> X) > (e: XS X) nlf) =nlf oe). 


Example 16 (Contexts and types). The constructor o¢q of type 
(T : Con)(A: Ty(I))(B : Ty(ext I A)) — ext (ext FA) B =con ext I (o T AB) 


from Example 2 is specified in the context of the previous constructors £, ext and 
o by functors F : C => hSet and G : JF = hSet, where C is the category of 
algebras of the previous constructors, with 


F(C,T,£,ext, o) := X(T : C).X(A : T(L)).T (ext, I A) 
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and 
G(C,T, «, ext,o, T, A, B) := ext (ext l A) B =ç ext I (o AB). 


Theorem 23 will show that G is relatively continuous. The corresponding 
category of algebras for this constructor specification has objects tuples 
(C,T,e,c,b, S, Seq) where (C,T, e,c, 6, s) is an algebra for the previous construc- 
tors, and 


Seq : (T : C) > (A: T(T)) > (B: T(e r A)) > c (cer A) B =c cl (sr AB). 


3.2 Point Constructors 


If C is the base category for a sort signature as in Definition 3, we can define 
specific target functors C > hSet which are guaranteed to be relatively continu- 
ous. Constructors having those as targets are referred to as point constructors. 
Intuitively, a point constructor is an operation that returns an element (point) 
of one of the sorts. The corresponding target functor is the forgetful functor 
that projects out the chosen sort. However, sorts can be dependent, so such a 
projection needs to be defined on a category of elements. 

Specifically, let C be a finitely complete category, H : C = hSet a functor, 
and C’ the extended base category with one more sort indexed over H. Recall 
from Definition 13 that the objects of C’ are pairs (X, P), where X is an object 
of C, and P is a family of sets indexed over HX. Let Vy : C’ > C be the forgetful 
functor. We define the base target functor corresponding to H to be the functor 


Up: f(a o Viz) = hSet given by 
Uy(X,P,x) = P(x). 


In other words, given an object X of C, a family P over HX, and a point x in 
the base, the functor Uy returns the fibre of the family P over x. The action of 
Uy on morphisms is the obvious one. 


Example 17 (Permutable trees). In Example 15, the functor Go : Io => hSet 
hSet 


specifying the target of leaf is the composition of the forgetful f Fo = hSet 
with the base target functor for the only sort, in this case the identity id : hSet > 
hSet. 


Note that Up = id in Example 17 is relatively continuous, as required by Def- 
inition 12. In the rest of this section, we will show that this is true in general. 
Given a category C and a functor F : C => hSet, it is well known that the slice 
category over F of the functor category C = hSet is equivalent to the functor 
category f EF => hSet (see for example [24, Proposition 1.1.7]). Given a functor 
G:C = hSet and a natural transformation a: G — F, we will refer to the func- 
tor G: [oF => hSet corresponding to a as the functor of fibres of a. Concretely, 
G maps an object (X, x), where x : FX, to the fibre of ax over x. The following 
theorem is proved by noting that Uy is a functor of fibres. 
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Theorem 18 (Base target functors are relatively continuous). Let C be 
a complete category, H : C => hSet any functor, and C’ the extended base category 
corresponding to H. Then the base target functor Uy is relatively continuous. 


3.3 Reindexing Target Functors 


In many cases, we can obtain suitable target functors by composing the desired 
base target functor with the forgetful functor to the appropriate stage of the 
base category. When building constructors one at a time, it will follow from 
Theorems 25 and 10 applied to the previous steps that this forgetful functor is 
continuous, and the relative continuity of the target functor will follow. In more 
complicated examples, composing with a forgetful functor is not quite enough. 
We often want to “substitute into” or reindex a target functor to target a spe- 
cific element. For example, in the context of Example 2, consider a hypothetical 
modified o constructor of the form 


o' : (X(T : Con). X(A : Ty(L’)).Ty(ext I A)) > Ty(ext I A). 


We want the target functor to return the set Ty(ext I’ A), and not just Ty(x) for 
a new argument x, which is the result of the base target functor. We can obtain 
the desired target functor as a composition 


JÎF S JETES Un hSet, (1) 


where C is the category with objects tuples (C,T,¢,ext), F : C = hSet is 
the functor giving the arguments of the constructor o’, Uy is the base tar- 
get functor corresponding to the second sort, and S is the functor defined by 
S(C,T,¢, ext, I, A, B) := (C,T,ext I A). 

Since the functors S that we compose with in order to “substitute” are of a 
special form, the resulting functor will still be relatively continuous when starting 
with a relatively continuous functor. This is made precise by the following result: 


Lemma 19 (Preservation of relative limit cones). AG 
Suppose given is a commutative diagram of categories and 
functors as shown on the right, where Co and Do are com- 4 v 


plete, and G maps U -limit cones to V -limit cones. Then F C—_+D 

maps (U o U")-limit cones to (V o V")-limit cones. In partic- S 

ular, if C and D are complete and G is continuous, then F v| |» 
preserves relative limit cones. G Do 


Example 20. Starting from the situation 

c S Fam(hSet) Un in (1) we can form the diagram shown on 
Po —> hSet 

J J m as the left, where V : C = Fam(hSet) is the 


| | forgetful functor and hence continuous. 
It follows from the second statement of 

g- Fam(hSet) Lemma 19 that S preserves relative limit 
cones, hence G = Uy o S is relatively 


continuous by Theorem 18. 
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3.4 Path Constructors 


Path constructors are constructors where the target functor G returns an equality 
type. They can e.g. be used to express laws when constructing an initial algebra 
of an algebraic theory as a QIT. We saw an example of this in Example 1, where 
we had a path constructor of the form 


mix: (f:A—T) > (e : A S A) — node(f) = node(f o e). 


The argument functor for mix is entirely unproblematic. However, it is perhaps 
not so clear that the target functor, which sends (X,1,n, f,e) to the equality type 
n(f) =x n(f oe), is relatively continuous. The aim of the current section is to 
show this for any functor of this form. We first observe that the prototypical such 
equality functor is relatively continuous, and then show that any other target 
functor for a path constructor can be obtained by substitution using Lemma 19. 


Definition 21. LetEq: ytd x id) = hSet be the functor defined on objects by 


Eq(X,2,y) := x = x y and on morphisms by Eq(f, px, Py) = Pz * (ap f —) * py- 


It is not hard to see that Eq is a functor. Furthermore, Eq is the functor of 
fibres of the obvious diagonal natural transformation A: id — id x id. 


Lemma 22. The standard equality functor Eq is relatively continuous. 


The lemma we have just given is central to the observation that a large class 
of equality functors are suitable targets for constructors: 


Theorem 23 (Equality functors are relatively continuous). Let C be a 


complete category, F : C = hSet any functor, and G : [PF => hSet a relatively 
continuous functor. Suppose given two global elements l,r of G, i.e. natural 
transformations l,r:1— G. The map 


C 
Eqg(l,r): J F — hSet 


with Eqg(l,r)(Y) = (ly =a(y) ry) extends to a relatively continuous functor. 


Example 24 (Permutable trees). The target of the mix constructor from Exam- 
ple1 can be obtained as an equality functor in this sense. We take G to be 
the underlying sort, which is relatively continuous by the results of the previ- 
ous section. The global elements / and r are defined by I(x ln,f,e) = n(f) and 
T(X,Ln,f,e) = n(f oe). Their naturality can easily be verified directly. 


Iterating equality functors, one can also express higher path constructors, 
but in our limited setting of inductively defined sets, there is little reason to go 
beyond one level of path constructors — higher ones will have no effect on the 
resulting inductive type. However, we believe that the ease with which Theo- 
rem 23 can be applied iteratively will be an important feature when generalising 
our technique to general higher inductive types. We discuss this further in Sect. 5. 
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3.5 Categories of Algebras are Complete 


Recall from Definition 13 that the category of algebras C.(F, G) for a constructor 
specification (FG) on a complete category C has “dependent (F, G)-dialgebras” 
as objects, and maps that commute with the dialgebra structure as morphisms. 
In this section, we will show that C.(F',G) is complete, and that its forgetful 
functor is continuous. The significance of this result is twofold: First of all, it 
enables the use of limits when reasoning about algebras; in particular, we will 
show in Sect.4 how, using products and equalisers, one can extend the classical 
equivalence between initiality and induction for ordinary inductive types to our 
setting. Secondly, it goes a long way towards establishing existence of initial 
algebras; since a category of algebras over n + 1 constructors is complete, and 
the forgetful functor to the category of algebras over the first n preserves limits, 
the adjoint functor theorem says that this functor has a left adjoint if and only 
if it satisfies the solution set condition. Applying this argument at every stage, 
we get a left adjoint for the forgetful functor down to hSet, and in particular 
an initial object. There is no reason to expect the solution set condition to hold 
at this generality, but we expect it to follow from appropriate “accessibility” 
conditions on the argument functors. This is discussed further in Sect. 5. 


Theorem 25 (Categories of algebras are complete). Let (F,G) be a con- 
structor specification on a complete category C. Then C.(F, G) is complete. 


4 Elimination Principles 


So far, we have given rules for specifying a QUIT by giving a sort signature 
and a list of constructors. As type-theoretical rules, these correspond to the 
formation and introduction rules for the QUIT. In this section, we introduce the 
corresponding elimination rules, stating that a QUIT is the smallest type closed 
under its constructors. We show that a categorical formulation of the elimination 
rules is equivalent to the universal property of initiality. 


4.1 The Section Induction Principle 


The elimination principle for an algebra X states that every fibred algebra over X 
has a section, where a fibred algebra over X is an algebra family “Q : X — hSet”, 
and a section of it a dependent algebra morphism “(x : X) —> Q(x)”.? The usual 
correspondence between type families and fibrations extends to algebras, and 
so we formulate the elimination rule for X as X being section inductive in the 
category of algebras in the following sense: 


Definition 26 (Section inductive). An object X of a category C is section 
inductive if for every object Y of C and morphism p : Y — X, there exists 
s: X —Y such that pos = idx. 


? See Dijkstra’s thesis [16, Sect. 5.4] for the general definition of fibred algebras and 
their morphisms — here we restrict ourselves to examples only for space reasons. 
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For an algebra X, the existence of the underlying function(s) X — Y corre- 
sponds to the dimmation rules, while the fact that they are algebra morphisms 
corresponds to the computation rules. 


Example 27 (Permutable trees). Consider permutable-tree algebras, e.g. tuples 
(X,l,n,p) as in Example 15. A fibred permutable-tree algebra over (X, l, n, p) 
consists of Q : X — hSet together with m; : Q(1) and 


Q(f a)) > Q(n f) 
Q(fa)) > (e: AS A) 
> mn fg =[ap Q p] mn (f oe) (goe) 


Mn: (f:4—7X)—->(g:(a: A) —> 
Mp: (f:A—X)-—> (g: (a: A) —> 

Here the type x = [p] y is the types of equalities between elements x : A 
and y : B in different types, themselves related by an equality proof p : A = B. 
This data can be arranged into an ordinary algebra X(x : X).Q(x), together 
with an algebra morphism 7 : (X(x : X).Q(x)) > X. A section of mı is 
a dependent function h : (x : X) — Q(x). Since h comes from an algebra 
morphism, we further know e.g. h(l) = m; and h(n f) = m, f (ho f). Conversely, 
every algebra morphism g : (X’,l’,n’,p’) > (X,l,n,p) gives rise to a fibred 
algebra (Q, m1, Mn, Mp) by considering the fibres Q(x) = X(y: A’).g(y) = z 
of p. The points mı, Mn and the path mp arise from the proof that g preserves 
lon and p’. 


Example 28 (Contexts and types). For context-and-types algebras from Exam- 
ple 16, a fibred algebra over (C,T,e,c,b, 5, Seq) consists of Q : C — hSet and 
R: (x : C) — T(x) > Q(x) — hSet, together with me : Q(e) and 


> (x: Q(T)) > (A: T(T)) > RT, A, x) > Q(T A) 

= ( QUE) > RU bT, £) 
ms: (£:C)> (a: Q(L)) —>(A:T(T))—> (y: RT,A,x)—>(B:T(er A) 

—> (z: R(cr A,B mT zAy)) > RT,s rF AB, z) 

> (x: Q(T)) > (A: T(T)) > (y : R(T, A, x)) 
T(cr A)) > (z : R(cr A,B, mT x Ay)) 
MT x Ay) Bz = [ap Q (seq T AB)| 

Ml a(s r AB)(m: r rAyBz) 


l 
= 
ee 
as ee 
Š 


Again, this data can be arranged into an ordinary algebra with base C” : hSet, 
T’ : C’ — hSet, where C’ = X(x : C).Q(x) and T'(x,q) = X(y : T(x)).R(x,y,q), 
together with an algebra morphism (71,71) : (C’,T’) — (C,T). A section of this 
morphism gives functions f : (x : C) > Q(x) and g: (x: C) > (y : T(a)) > 
R(x,y, f x) that preserve the algebra structure. 


A general account of the equivalence between the usual formulation of the 
elimination rules and the section induction principle is in Dijkstra [16, Sect. 5.4]. 
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4.2 Initiality, and its Relation to the Section Induction Principle 


The section induction principle for an algebra X matches our intuitive under- 
standing of the elimination rules for X quite well, but it is perhaps a priori not 
so clear that e.g. satisfying it defines an algebra uniquely up to equivalence. In 
this section, we show that this is the case by proving that the section induction 
principle is equivalent to the categorical property of initiality. Recall that a type 
is contractible if it is equivalent to the unit type [34, Definition 3.11.1]. 


Definition 29 (Initiality). An object X of a category C is (homotopy) initial 
if for every object Y of C, the set of morphisms X — Y is contractible. 


It is easy to see that initiality implies section induction, while the converse 
requires additional structure on C: 


Lemma 30. If an object X in a category C is initial, then it is section inductive. 
IfC has finite limits and X is section inductive, then X is initial. 


From here, we can show the main theorem of the current section. The proof 
uses the fact that both statements involved are mere propositions, i.e. they have 
at most one proof. 


Theorem 31 (Initiality = section induction). An object X in a in a cate- 
gory of algebras C.(F',G) being initial is equivalent to it being section inductive. 


As an application, we can now reason about QIITs using their categories of 
algebras. For instance, we get a short proof of the following fact: 


Corollary 32. The interval is equivalent to the unit type. 


Proof. By Theorem 31, the interval is the initial object in the category with 
objects X(X : hSet). X(x : X).L(y : X).« =x y, while the unit type is the 
initial object in the category with objects X(X : hSet).X. By contractibility 
of singleton types [34, Lemma 3.11.8], the former is equivalent to the latter, 
and since initiality is a universal property, the two initial objects coincide up to 
equivalence. 


5 Conclusions and Further Work 


We have developed a semantic framework for QIITs: A QUIT description gives 
rise to a category of algebras, and the initial object of this category represent 
the types and constructors of the QUT. This generalises the usual functorial 
semantics of inductive types to a more general setting. So far we have verified the 
appropriateness of this setting by means of examples. In future work, we would 
like to explicitly relate the syntax of QIITs to the corresponding semantics. 
Our categories of algebras are complete. This is helpful for the metatheory 
of QUTs, as demonstrated by the proof of initiality being equivalent to section 
induction (Theorem 31), justifying elimination principles. Of course, complete- 
ness is not by itself sufficient to derive the existence of initial algebras, but it 
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suggests that it should be possible to restrict the argument functors to guaran- 
tee this, possibly by reducing QIITs to a basic type former playing an analogous 
role to that of W-types for inductive types. We believe that completeness of 
the categories of algebras allows an existence proof using the adjoint functor 
theorem. 

We have restricted our attention to QIITs, but we believe that our construc- 
tion is applicable to general HITs (and even HIITs). While at first glance such 
an extension of our framework seems to require an internal theory of (oo, 1)- 
categories, we believe that it is enough to keep track of only a very limited 
number of coherence conditions, making this extension possible even without 
solving the well-known problem of specifying an infinite tower of coherences in 
HoTT. 

Other possible future directions include the combination of QIITs and 
induction-recursion, and the possibility of generalising coinductive types along 
similar lines. These generalisations should be driven by examples, similar to how 
the examples discussed in the current paper have motivated the need for a theory 
of QIITs. 
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Abstract. Notions of guardedness serve to delineate the admissibility of 
cycles, e.g. in recursion, corecursion, iteration, or tracing. We introduce 
an abstract notion of guardedness structure on a symmetric monoidal 
category, along with a corresponding notion of guarded traces, which are 
defined only if the cycles they induce are guarded. We relate structural 
guardedness, determined by propagating guardedness along the oper- 
ations of the category, to geometric guardedness phrased in terms of 
a diagrammatic language. In our setup, the Cartesian case (recursion) 
and the co-Cartesian case (iteration) become completely dual, and we 
show that in these cases, guarded tracedness is equivalent to presence 
of a guarded Conway operator, in analogy to an observation on total 
traces by Hasegawa and Hyland. Moreover, we relate guarded traces to 
unguarded categorical uniform fixpoint operators in the style of Simp- 
son and Plotkin. Finally, we show that partial traces based on Hilbert- 
Schmidt operators in the category of Hilbert spaces are an instance of 
guarded traces. 


1 Introduction 


In models of computation, various notions of guardedness serve to control 
cyclic behaviour by allowing only guarded cycles, with the aim to ensure 
properties such as solvability of recursive equations or productivity. Typical 
examples are guarded process algebra specifications [6,29], coalgebraic guarded 
(co-)recursion [27,33], finite delay in online Turing machines [9], and produc- 
tive definitions in intensional type theory [1,30], but also contractive maps in 
(ultra-)metric spaces [24]. 

A highly general model for unrestricted cyclic computations, on the other 
hand, are traced monoidal categories [22]; besides recursion and iteration, 
they cover further kinds of cyclic behaviour, e.g. in Girard’s Geometry of 
Interaction [4,14] and quantum programming [3,34]. In the present paper we 
parametrize the framework of traced symmetric monoidal categories with a 
notion of guardedness, arriving at (abstractly) guarded traced categories, which 
effectively vary between two extreme cases: symmetric monoidal categories 
(nothing is guarded) and traced symmetric monoidal categories (everything is 
guarded). In terms of the standard diagrammatic language for traced monoidal 
categories, we decorate input and output gates of boxes to indicate guarded- 
ness; the diagram governing trace formation would then have the general form 
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depicted in Fig. 1 — that is, we can only form traces connecting guarded (black) 
output gates to input gates that are unguarded (black), i.e. not assumed to be 
already guarded. 

We provide basic structural results on our notion rg 
of abstract guardedness, and identify a wide array of SG 
examples. Specifically, we establish a geometric charac- ' 
terization of guardedness in terms of paths in diagrams; 7777777777777 
we identify a notion of guarded ideal, along with a con- 
struction of guardedness structures from guarded ideals 
and simplifications of this construction for the (co-)Cartesian and the Carte- 
sian closed case; and we describe ‘vacuous’ guardedness structures where traces 
do not actually generate proper diagrammatic cycles. In terms of examples, we 
begin with the case where the monoidal structure is either product (Cartesian), 
corresponding to guarded recursion, or coproduct (co-Cartesian), for guarded 
iteration; the axioms for guardedness allow for a basic duality that indeed makes 
these two cases precisely dual. For total traces in Cartesian categories, Hasegawa 
and Hyland observed that trace operators are in one-to-one correspondence with 
Conway fixpoint operators [18,19]; we extend this correspondence to the guarded 
case, showing that guarded trace operators on a Cartesian category are in one-to- 
one correspondence with guarded Conway operators. In a more specific setting, 
we relate guarded traces in Cartesian categories to unguarded categorical uniform 
fixpoints as studied by Crole and Pitts [11] and by Simpson and Plotkin [37,38]. 
Concluding with a case where the monoidal structure is a proper tensor product, 
we show that the partial trace operation on (infinite-dimensional) Hilbert spaces 
is an instance of vacuous guardedness; this result relates to work by Abramsky, 
Blute, and Panangaden on traces over nuclear ideals, in this case over Hilbert- 
Schmidt operators [2]. 


Fig. 1. Guarded trace 


Related Work. Abstract guardedness serves to determine definedness of a 
guarded trace operation, and thus relates to work on partial traces. We dis- 
cuss work on nuclear ideals [2] in Sect.6. In partial traced categories [17,26], 
traces are governed by a partial equational version (consisting of both strong and 
directed equations) of the Joyal-Street-Verity axioms; morphisms for which trace 
is defined are called trace class. A key difference to the approach via guardedness 
is that being trace class applies only to morphisms with inputs and outputs of 
matching types while guardedness applies to arbitrary morphisms, allowing for 
compositional propagation. Also, the axiomatizations are incomparable: Unlike 
for trace class morphisms [17, Remark 2.2], we require guardedness to be closed 
under composition with arbitrary morphisms (thus covering contractivity but 
not, e.g., monotonicity as in the modal p-calculus); on the other hand, as noted 
by Jeffrey [21], guarded traces, e.g. of contractions, need not satisfy Vanishing 
II as a Kleene equality as assumed in partial traced categories. Some approaches 
treat traces as partial over objects [8,20]. In concrete algebraic categories, par- 
tial traces can be seen as induced by total traces in an ambient category of 
relations [5]. We discuss work on guardedness via endofunctors in Remark 23. 
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2 Preliminaries 


We recall requisite categorical notions; see [25] for a comprehensive introduction. 


Symmetric Monoidal Categories. A symmetric monoidal category (C,®, I) 
consists of a category C (with object class |C]), a bifunctor @ (tensor product), 
and a (tensor) unit I € |C|, and coherent isomorphisms witnessing that © is, 
up to isomorphism, a commutative monoid structure with unit J. For the latter, 
we reserve the notation agg.c : (A8 B)& C = A8 (B&C) (associator), 
yap: AQ B S BOA (symmetry), and va : I & A S A (left unitor); the right 
unitor 64 : A Q I S A is expressible via the symmetry. A symmetric monoidal 
category is Cartesian if the monoidal structure is finite product (i.e. @ = x, 
and I = 1 is a terminal object), and, dually, co-Cartesian if the monoidal struc- 
ture is finite coproduct (ie. & = +, and I = 9 is an initial object). Coproduct 
injections are written in; : X; > Xı + Xə (i = 1,2), and product projections 
pr; : X1 x X2 — Xi. Various notions of algebraic tensor products also induce 
symmetric monoidal structures; see Sect.6 for the case of Hilbert spaces. One 
has an obvious expression language for objects and morphisms in symmetric 
monoidal categories [36], the former obtained by postulating basic objects and 
closing under J and ®, and the latter by postulating basic morphisms of given 
profile and closing under &, J, composition, identities, and the monoidal isomor- 
phisms, subject to the evident notion of well-typedness. Morphism expressions are 
conveniently represented as diagrams consisting of boxes representing the basic 
morphisms, with input and output gates corresponding to the given profile. Ten- 
soring is represented by putting boxes on top of each other, and composition by 
wires connecting outputs to inputs [36]. In a traced symmetric monoidal category 
one has an additional operation (trace) that essentially enables the formation of 
loops in diagrams, as in Fig. 1 (but without decorations). 


Monads and (Co-)algebras. A(n F')-coalgebra for a functor F : C > C is 
a pair (X, f : X — FX) where X € |C|, thought of as modelling states and 
generalized transitions [33]. A final coalgebra is a final object in the category of 
coalgebras (with C-morphisms h : X — Y such that (Fh) f = gh as morphisms 
(X, f) — (Y,g)), denoted (vF, out : vF — FvF) if it exists. Dually, an F- 
algebra has the form (X, f : FX — X). A monad T = (T,,7) on a category 
C consists of an endofunctor T on C and natural transformations 7 : Id —> T 
(unit) and u : T? — T (multiplication) subject to standard equations [25]. As 
observed by Moggi [31], monads can be seen as capturing computational effects 
of programs, with TX read as a type of computations with side effects from 
T and results in X. In this view, the Kleisli category Cr of T, which has the 
same objects as C and Home,(X,Y) = Home (X, TY), is a category of side- 
effecting programs. A monad is strong if it is equipped with a strength, i.e. 
a natural transformation X x TY — T(X x Y) satisfying evident coherence 
conditions (e.g. [31]). A T-algebra (A, a) is an (Hilenberg-Moore) T-algebra (for 
the monad T) if additionally an = id and a(Ta) = apa; the category of T- 
algebras is denoted CT. 
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3 Guarded Categories 


We now introduce our notion of guarded structure. A standard example of guard- 
edness are guarded definitions in process algebra. E.g. in the definition P = a.P, 
the right hand occurrence of P is guarded, ensuring unique solvability (by a 
process that keeps outputting a). A further example is contractivity of maps 
between complete metric spaces. We formulate abstract closure properties for 
partial guardedness where only some of the inputs and outputs of a morphism 
are guarded. Specifically, we distinguish guarded outputs and guarded inputs (D 
and B, respectively, in the following definition), with the intended reading that 
guarded outputs yield guarded data provided guarded data is already provided 
at guarded inputs, while unguarded inputs may be fed arbitrarily. 


Fig. 2. Axioms of guarded categories 


Definition 1 (Guarded category). An (abstractly) guarded category is a 
symmetric monoidal category (C, &, I) equipped with distinguished subsets 
Hom’(A @ B,C & D) C Hom(A 8 B,C ® D) of partially guarded morphisms 
for A, B,C, D € |C], satisfying the following conditions: 


(unig) yr,a € Hom’ (I 8 A,A 8T); 

(vacg) f 89g € Hom’ (A & B,C & D) for all f : A> C, g : B > D; 

(cmpo) g € Hom’(A & B, E 8 F) and f € Hom’ (E & F,C ® D) imply fg € 
Hom’ (A 8 B,C 8 D); 

(parg) for f € Hom’ (A & B,C & D), g e Hom?’ (A' 8 B’,C’ @ D’), the evident 
transpose of f & g is in Hom? ((A ® A’) @ (B 8 B’), (C 8 C") 8 (D 8 D')). 


We emphasize that Hom’ (A @ B,C & D) is meant to depend individually on A, 
B, C, D and not just on A & B and C@ D. 


One easily derives a weakening rule stating that if f € Hom’ ((A @ A’) @ B,C @ 
(D’®D)), then the obvious transpose of f is in Hom®(A@(A’@B), (C@D')@D). 
We extend the standard diagram language for symmet- _B D 
ric monoidal categories (Sect.2), representing morphisms f € 4 fa 
Hom’(A ® B,C ® D) by decorated boxes as shown on the right, 
with black bars marking the unguarded input gates A and the guarded output 
gates D. Weakening then corresponds to shrinking the black bars of decorated 
boxes. Figure 2 depicts the above axioms in this language. Solid boxes represent 
the assumptions, while dashed boxes represent the conclusions. The latter only 
occur in the derivation process and do not form part of the actual diagrams rep- 
resenting concrete morphisms. We silently identify object expressions and sets 
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of gates in diagrams. Given a (well-typed) morphism expression e, a judgement 
e € Hom’(A@® B,C & D), called a guardedness typing of e, is derivable if it can 
be derived from the assumed guardedness typing of the constituent basic boxes 
of e using the rules in Definition 1. We have an obvious notion of (directed) 
paths in diagrams; a path is guarded if it passes some basic box f through an 
unguarded input gate and a guarded output gate (intuitively, guardedness is 
then introduced along the path as the passage through f will guarantee guarded 
output without assuming guarded input). We then have the following geometric 
characterization of guardedness typing: 


Theorem 2. For a well-typed morphism expression e E€ Hom(A ® B,C & D), 
the guardedness typing e € Hom?’ (A @ B,C & D) is derivable iff in the diagram 
of e, every path from an input gate in A to an output gate in D is guarded. 


Every symmetric monoidal category has both a largest (Hom®(A @ B,C @ D) = 
Hom(A ® B,C @ D)) and a least guarded structure: 


Lemma and Definition 3 (Vacuous guardedness). Every symmetric 
monoidal category is guarded under taking f € Hom®(A 8 B,C ® D) iff f fac- 
tors as 


Ag B&L Ag Eg D+, CoD 
(eliding associativity) with g: B — EQD, h: AQ E —> C. This is the least 
guarded structure on C, the vacuous guarded structure. 


E.g. the natural guarded structure on Hilbert spaces (Sect. 6) is vacuous. 


Remark 4 (Duality). The rules and axioms in Fig. 2 are stable under 180°- 
rotation, that is, under reversing arrows and applying the monoidal symmetry 
on both sides (this motivates decorating the unguarded inputs). Consequently, if 
C is guarded, then so is the dual category C°?, with guardedness given by f € 
Homt.r(A® B,C 8 D) iff the obvious transpose of f is in Homb (DC, B® A). 


In case ® is coproduct, we can simplify the description of partial guardedness: 


Proposition 5. Partial guardedness in a co-Cartesian category (C,+,9) is 
equivalently determined by distinguished subsets Homo (X,Y) C Hom(X,Y) with 
o ranging over coproduct injections Y> —> Yı + Yə = Y, subject to the rules on 
the right hand side of Fig. 3, where f : X >s Y denotes f E€ Hom,(X,Y), with 
f E Hom’ (Xı + X2, Y1 + Y2) iff (fini) E€ Homin, (X1, Yı + Yə). 


We have used the mentioned rules for —, in previous work on guarded iter- 
ation [16] (with (vac, ) called (trv), and together with weakening, which as 
indicated above turns out to be derivable). By duality (Remark 4), we immedi- 
ately have a corresponding description for the Cartesian case: 


Corollary 6. Partial guardedness in a Cartesian category (C,x,1) is equiv- 
alently determined by distinguished subsets Hom” (X,Y) C Hom(X,Y) with o 
ranging over product projections X = Xı x X2 — Xı, subject to the rules on 
the left hand side of Fig. 3, where f : X —° Y denotes f € Hom?(X,Y), with 
f € Hom? (Xi x X2, Yi x Y2) iff prof € Hom™! (X1 x Xə, Yo). 
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f:X>Z 


(vacs) Fo. x E 


Jf: Xx Y 32 Z 
g:V>° X h:V>Y 


tempe Fa he ae 


f: XY g: X=" Z 
G: XY xZ 


(parx) 


Jf:X>Z 
n f: X >m Z+Y 


(vac.) ; 


f:X >m Y +HZ 
g:Y >s V h:Z>V 


(cmp+) lg, h] f: X >o V 


FX >Z f:Y>Z 
[fg]: X +Y >o Z 


(par; ) 


Fig. 3. Axioms of Cartesian (left) and co-Cartesian (right) guarded categories 


Remark 7. In a co-Cartesian category, vacuous guardedness (Lemma 3) can 
equivalently be described by f € Hom®(A + B,C + D) iff f decomposes as 
f = [inih, g] (uniquely provided that in, is monic), or in terms of the description 
from Proposition 5, u E€ Homin, (X,Y + Z) iff u factors through in;. Of course, 
the dual situation obtains in Cartesian categories. 


Example 8 (Process algebra). Fix a monad T on (C,+,@) and an endofunc- 
tor X : C — C such that the generalized coalgebraic resumption transform 
Ty = vy. T(— + Xy) exists; we think of TyX as a type of processes that have 
side-effects in T and perform communication actions from 3’, seen as a general- 
ized signature. The Kleisli category Cr, of Ty is again co-Cartesian. Putting 


f:X ing Ts (Y +Z) < outf € {T(in1 +id)g|g:X > T(Y + 2Ts(Y + Z))} 


(cf. Sect. 2 for notation), we make Cr, into a guarded category [16]. The stan- 
dard motivating example of finitely nondeterministic processes is obtained by 
taking T = P, (finite powerset monad) and X = A x — (action prefixing). 


Example 9 (Metric spaces). Let C be the Cartesian category of metric spaces 
and non-expansive maps. Taking f : X x Y >? Z iff Ay. f(x,y) is contractive 
for every x € X makes C into a guarded Cartesian category. 


4 Guardedness via Guarded Ideals 


Most of the time, the structure of a guarded category is determined by morphisms 
with only unguarded inputs and guarded outputs, which form an ideal: 


Definition 10 (Guarded morphisms). A morphism f : X — Y ina 
guarded category is guarded (as opposed to only partially guarded) if vy! fox € 
Hom®(X @ I, I ® Y); we write Hom”(X,Y) for the set of guarded morphisms 
fix -Y. 


Definition 11 (Guarded ideal). A family G of subsets G(X, Y) C Hom(X, Y) 
(X,Y € |C]) in a monoidal category (C,®, I) is a guarded ideal if it is closed 
under ® and under composition with arbitrary C-morphisms on both sides, and 
G(I, I) = Hom(J, I). 
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There is always a least guarded ideal, G(X,Y) = {gf | f: X >I, g:I>Y}. 
Moreover, as indicated above: 


Lemma and Definition 12. In a guarded category, the sets Hom” (X,Y) form 
a guarded ideal, the guarded ideal induced by the guarded structure. 


Conversely, it is clear that every guarded ideal generates a guarded structure by 
just closing under the rules of Definition 1. 


Definition 13 (Ideally guarded category). A guarded category is ideal or 
ideally guarded (over G) if it is generated by some guarded ideal (G). 


We give a more concrete description: 


Theorem 14. Let (C,®, 1) be ideally guarded over G. Then Hom’ (A&B, C@D) 
consists of the morphisms of the form 


for gi in G and arbitrary p, q, fi, hi. 


The transitions between guarded ideals and guarded structures are not in general 
mutually inverse: The guarded structure generated the guarded ideal induced by 
a guarded structure may be smaller than the original one (Example 21), and the 
guarded ideal induced by the guarded structure generated by a guarded ideal G 
may be larger than G (Remark 16). We proceed to analyse details. 


Proposition 15. On every symmetric monoidal category, the least guarded 
structure (Lemma 3) is ideal. 


Remark 16. Vacuously guarded categories need not induce the least guarded 
ideal (although by the next results, this does hold in the Cartesian and the co- 
Cartesian case). In fact, by Lemma 3, the guarded ideal induced by the vacuous 
guarded structure consists of the morphisms of the form (h & idp)(id4 ® g) 
(eliding associativity and the unitor) where g: I > E@®D,h: A@ ET: 


! j 


This ideal will resurface in the discussion of Hilbert spaces (Sect. 6). 


The situation is simpler in the Cartesian and, dually, in the co-Cartesian case. 


Lemma 17. Let C be ideally guarded over G, and suppose that every f € 
G(X Y, Z) factors through fid: X QY — V Y for some f € G(X, V). 
Then the guardedness structure of C induces G. 
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If @ = +, the premise of the lemma is automatic, since f € G(X +Y, Z) can 
be represented as [f ini, f ing] = [id, f ing] (f iny + id) where f iny € G(X, Z) by 
the closure properties of guarded ideals. Hence, we obtain 


Theorem 18. The guarded structure generated by a guarded ideal G on a co- 
Cartesian category is equivalently described by Homin, (X,Y + Z) = {[ini, g]h | 
gE G(W,Y +Z),h:X ~Y+W}, and hence induces G. 


Corollary 19. The guarded structure generated by a guarded ideal G on a 
Cartesian category is equivalently described by Hom?" (X x Y, Z) = {h (g, pra) | 
ge G(x x Y,W),h: Wx Y > Z}, and hence induces G. 


The description can be further simplified in the Cartesian closed case. 


Corollary 20. Given a guarded ideal G on a Cartesian closed category, put 
f:XxY =" Z iff curry f € G(X, ZY). This describes the guarded structure 
induced by G iff G is exponential, i.e. f € G(X,Y) implies fY € G(X’, YY). 


(We leave it as an open question whether a similar characterization holds in the 
monoidal closed case.) Natural examples of both ideal and non-ideal guardedness 
are found in metric spaces: 


Example 21 (Metric spaces). The guarded structure on metric spaces from 
Example 9 fails to be ideal: It induces the guarded ideal of contractive maps, 
which however generates the (ideal) guarded structure described by f : X x 
Y —P2 Z iff f(x,y) is uniformly contractive in y, i.e. there is c < 1 such that 
for every x, Ay. f(x,y) is contractive with contraction factor c. 


A large class of ideally guarded structures arises as follows. 


Proposition 22. Let C be a Cartesian category equipped with an endofunctor 
> : C — C and a natural transformation next : Id — ». Then the following 
definition yields a guarded ideal in C: G(X, Y) = {f next | f: >X — Y}. The 
arising guarded structure is Hom?" (X x Y, Z) = {f (next, pro) | f :>(X xY) x 
Y — Z}. If moreover next : X x Y > »(X x Y) factors through next x id : 
Xx Y—>pX xY, then Hom?" (X xY, Z) = {f (next x id) | f: >X xY > Z}. 


Remark 23. Proposition 22 connects our approach to previous work based pre- 
cisely on the assumptions of the proposition [28] (in fact, the term guarded traced 
category is already used there, with different meaning). A limitation of the app- 
roach via a functor » arises from the need to fix » globally, so that, e.g., the 
ideal guarded structure on metric spaces (Example 21) is not covered — capturing 
contractivity via > requires fixing a single global contraction factor. 


The following instance of Proposition 22 has received extensive recent interest 
in programming semantics: 


Example 24 (Topos of Trees). Let C be the topos of trees [7], i.e. the 
presheaf category Set” where w is the preorder of natural numbers (starting 
from 1) ordered by inclusion. An object X of C is thus a family (X (n))n=1,2... 


Guarded Traced Categories 321 


= KÈ Pp 
tS Sd Vasey = MN 


= sae 


(a) Vanishing I (b) Sliding I 


(g) Tightening (h) Yanking 


Fig. 4. Axioms of guarded traced categories 


of sets with restriction maps rn : X(n +1) — X(n). The later-endofunctor 
> : C — C is defined by »X(1) = {x} and »X(n+ 1) = X(n), and the 
natural transformation nexty, : X — >X by nextx(1) = !: X(1) > {x}, 
nextyx(n + 1) = rn41 : X(n +1) — X(n). Guarded morphisms according to 
Proposition 22 are called contractive, generalizing the metric setup. Contractive 
morphisms form an exponential ideal, so partial guardedness is described as in 
Corollary 20, and hence agrees with contractivity in part of the input as in [7, 
Definition 2.2]. 


5 Guarded Traces 


As indicated previously, the main purpose of our notion of abstract guardedness 
is to enable fine-grained control over the formation of feedback loops, viz, traces. 


Definition 25 (Guarded traced category). We call a guarded category 
(C,®,I) guarded traced if it is equipped with a guarded trace operator 


tro gcp : Hom’((A @U) 8 B,C ® (D @U)) > Hom’(A® B,C & D), 


visually corresponding to the diagram formation rule in Fig. 1, so that the adap- 
tation of the Joyal-Street-Verity axiomatization of traced symmetric monoidal 
categories [22] shown in Fig. 4 is satisfied. 
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Remark 26. The versions of the sliding axiom in Fig. 4 differ in the way the 
loop is guarded. They are in line with duality (Remark 4): Sliding II arises from 
Sliding I by 180° rotation, and Sliding III is symmetric under 180° rotation. 


We proceed to investigate the geometric properties of guarded traced categories, 
partly extending Theorem 2. The syntactic setting extends the one for guarded 
categories by additionally closing morphism expressions under the trace operator 
(interpreted diagrammatically as in Fig. 1), obtaining traced morphism expres- 
sions. Term formation thus becomes mutually recursive with guardedness typ- 
ing: if e is a traced morphism expression such that e € Hom®((A @ U) 8 B,C & 
(D & U)) is derivable, then tr4.s,c,p(e) is a traced morphism expression, and 
tra.p,c,p(e) € Hom’(A & B,C & D) is derivable. Traced diagrams consists of 
finitely many (decorated) basic boxes and wires connecting output gates of basic 
boxes to input gates, with each gate attached to at most one wire; open gates 
are regarded as inputs or outputs, respectively, of the whole diagram. Of course, 
acyclicity is not required. We first note that the easy direction of Theorem 2 
adapts straightforwardly to the setting with traces: 


Proposition 27. Lete be a traced morphism expression such that e € Hom (AQ 
B,C & D) is derivable. Then in the diagram of e, all loops and all paths from 
input gates in A to output gates in D are guarded (p. 4). 


Remarkably, the converse of Proposition 27 in general fails in several ways: 


Example 28. The left diagram below 


shows that guardedness typing is not closed under equality of traced morphism 
expressions: Write e for the expression inducing the dashed box. By Proposi- 
tion 27, e, and hence tr(e), fail to type as indicated. However, tr(e) = gf, for 
which the overall guardedness typing indicated is easily derivable. 

Moreover, the diagram on the right above satisfies the necessary condition 
from Proposition 27 but is not induced by an expression for which the indicated 
guardedness typing is derivable, essentially because both ways of cutting the 
loop violate the necessary condition from Proposition 27. 


However, if C is ideally guarded over a guarded ideal G, we do have a converse 
to Proposition 27: By Theorem 14, we can then restrict basic boxes in diagrams 
to be either guarded, i.e. have only black gates, or unguarded, i.e. have only 
white gates. We call the correspondingly restricted diagrams ideally guarded. (We 
emphasize that the guardedness typing of composite ideally guarded diagrams 
still needs to mix guarded and unguarded inputs and outputs.) A path in an 
ideally guarded diagram is guarded iff it passes through a guarded basic box. 
The left-hand diagram in (2) is in fact ideally guarded, so guardedness typing 
fails to be closed under equality also in the ideally guarded case. However, for 
ideally guarded diagrams we have the following converse of Proposition 27. 
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Theorem 29. Let A be an ideally guarded diagram, with sets of input and out- 
put gates disjointly decomposed as AU B and CU D, respectively. If every loop 
in A and every path from a gate in A to a gate in D is guarded, then A is 
induced by a traced morphism expression e such that e € Hom®(A 8 B,C & D) 
is derivable. 

We next take a look at the Cartesian and co-Cartesian cases. Recall that by 
Proposition 5, the definition of guarded category can be simplified if $ = + (and 
dually if & = x). This simplification extends to guarded traced categories by 
generalizing Hyland-Hasegawa’s equivalence between Cartesian trace operators 
and Conway fixpoint operators [18,19]. 


Definition 30 (Guarded Conway operators). Let C be a guarded co- 
Cartesian category. We call an operator (—)" of profile 


f © Homosia(X,Y +X) fl € Hom, (X,Y) (3) 
a guarded iteration operator if it satisfies 
— fixpoint: ft = (id, ft) f for f : X >in, Y +X; 
and a Conway iteration operator if it additionally satisfies 


— naturality: g ft = ((g + id) f)' for f : X Sing Y+X,9:Y > Z; 

— dinaturality: (|in, h] g)' = [id, ([in1, g]h)'] g for g : X >in, Y +Z andh: Z > 
Y+Xorg:X ~Y+Zandh: Zin, Y+X; 

— (co)diagonal: ([id, ino] f)' = fl for f : X ingtia (Y + X) +X. 


Furthermore, we distinguish the following principles: 


— squaring [12]: ft = ([in, f] f)' for f : X ing Y + X; 
— uniformity w.r.t. a subcategory S of C: (id + h) f = gh implies ft = gth for 
all f: X ing Z+X,9:Y ing Z+Y and h: Y — X from S; 


and call (—)' squarable or uniform if it satisfies squaring or uniformity, respec- 
tively. 


Guarded (Conway) recursion operators (—); on guarded Cartesian categories are 
defined dually in a straightforward manner. We collect the following facts about 
guarded iteration operators for further reference. 


Lemma 31. Let (—)' be a guarded iteration operator on (C,+,9). 


1. If (—)' is uniform w.r.t. some co-Cartesian subcategory of C and satisfies the 
codiagonal identity then it is squarable. 

2. If (—)! is squarable and uniform w.r.t. coproduct injections then it is dinat- 
ural. 

3. If (—)! is Conway then it is uniform w.r.t. coproduct injections. 


Proposition 32. A guarded co-Cartesian category C is traced iff it is equipped 
with a guarded Conway iteration operator (—)', with mutual conversions like in 
the total case [18,19]. 
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Example 33 (Guarded Conway operators). We list some examples of 
guarded Conway iteration /recursion operators. In all cases except 2, Conwayness 
follows from uniqueness of fixpoints [16, Theorem 17]. 


1. In a vacuously guarded co-Cartesian category (Remark 7), f : X >in, Y +Z 
iff f = inıg for some g : X — Y. If coproduct injections are monic, then g is 
uniquely determined, and ft = g defines a guarded Conway operator. 

2. Every Cartesian category C is guarded under Hom” (X,Y) = Hom(X,Y) 
(making every morphism guarded). Then C has a guarded Conway recursion 
operator iff C is a Conway category [13], i.e. models standard total recursion. 

3. The guarded Cartesian category of complete metric spaces as in Example 9 is 
traced: For f : X x Y —?'2 Y, define f'(x) as the unique fixpoint of Ay. f(x,y) 
according to Banach’s fixpoint theorem. 

4. Similarly, the topos of trees, ideally guarded as in Example 24, has a guarded 
Conway recursion operator obtained by taking unique fixpoints [7, Theo- 
rem 2.4]. 

5. The guarded co-Cartesian category Cr, of side-effecting processes (Exam- 
ple 8) has a guarded Conway iteration operator obtained by taking unique 
fixpoints, thanks to the universal property of the final coalgebra Ty X [32]. 


Guarded vs. Unguarded Recursion. We proceed to present a class of exam- 
ples relating guarded and unguarded recursion. For motivation, consider the 
category (Cpo, x,1) of complete partial orders (cpos) and continuous maps. 
This category nearly supports recursion via least fixpoints, except that, e.g., 
id: X — X only has a least fixpoint if X has a bottom. The following equivalent 
approaches involve the lifting monad (—)1, which adjoins a fresh bottom L to 
a given X € |Cpol. 


Classical approach [38,39]: Define a total recursion operator (—); on the cat- 
egory Cpo, of pointed cpos and continuous maps, using least fixpoints. 


Guarded approach (cf. [28]): Extend Cpo to a guarded category: f : X x 
Y =": Z iff f € {g(id x n) | g: X x YL — Z} (see Proposition 22), and 
define a guarded recursion operator sending f = g(id x n): Y x X 2 X 
to fi = glid, f) : Y — X with f(y) € X, calculated as the least fixpoint of 
Az. ng(y, z). 


Pointed cpos happen to be always of the form X, with X € |Cpol|, which 
indicates that (—); is a special case of (—);. This is no longer true in more general 
cases when the connection between (—); and (—); is more intricate. We show 
that (—); and (—); are nevertheless equivalent under reasonable assumptions. 


Definition 34 ({11]). A let-ccc with a fixpoint object is a tuple (C,T,2,w), 
consisting of a Cartesian closed category C, a strong monad T on it, an initial 
T-algebra (2, in) and an equalizer w:1— Q of inn: Q— Q and id: 2 > 2. 


The key requirement is the last one, satisfied, e.g., for Cpo and the lifting monad. 
Given a monad T on C, CT denotes the category of T-algebras and C-morphisms 
(instead of T-algebra homomorphisms). 
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Proposition 35 ([37, Theorem 4.6]). Let (C,T, 2,w) be a let-ccc with a fixpoint 
object. Then CT has a unique CT-uniform recursion operator (—)+. 


By [38, Theorem 4], the operator (—); in Proposition 35 is Conway, in par- 
ticular, by Lemma 31, squarable, if C has a natural numbers object and T 
is an equational lifting monad [10], such as (—),. There are however further 
squarable operators obtained via Proposition 35, e.g. for the partial state monad 
TX = (X x S)? [11]. By Lemma 31, the following result applies in particular 
in the setup of Proposition 35 under the additional assumption of squarability. 


Theorem 36. Let T be a strong monad on a Cartesian category C. The follow- 
ing gives a bijective correspondence between squarable dinatural recursive opera- 
tors (—); on CT and squarable dinatural guarded recursive operators (—)+ on C 
ideally guarded over Hom” (X,Y) = {fn| f:TX >Y}: 


(f: Bx A> A); =a(nf(id x @)); for (A, a) € |CX] (4) 


(f =g(id x n): Y x X > X); = g(id, (ng)+) (5) 


(in (5) we call on a slight extension of (—);; the right hand side of (4) is defined 
because nf (id x a) factors as nf (id x a(Ta)n)). Moreover, (—); is Conway iff so 
is (—)s. 


6 Vacuous Guardedness and Nuclear Ideals 


We proceed to discuss traces in vacuously guarded categories (Lemma 3), and 
show that the partial trace operation in the category of (possibly infinite- 
dimensional) Hilbert spaces [2] in fact lives over the vacuous guarded structure. 
We first note that vacuous guarded structures are traced as soon as a simple 
rewiring operation satisfies a suitable well-definedness condition (similar to one 
defining traced nuclear ideals [2, Definition 8.14]): 


Proposition 37. Let (C,®,I) be vacuously guarded. If for f € Hom®(A @ B, 
C@D) with factorization f = (h 8 idpau)(idaau 8 g) (eliding associativity), 
g:BoE@DEU,h: AQU®E-C as per Lemma 8, the composite 


A@B “48, A@E@D@UZ~AQUGE@D*==C@D (6) 


depends only on f, then C is guarded traced, with ir” B.c.p(f) defined as (6). 


Diagrammatically, the trace in a vacuously guarded category is thus given by 
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We proceed to instantiate the above to Hilbert spaces. On a more abstract 
level, a dagger symmetric monoidal category [35] (or tensored *-category [2]) is 
a symmetric monoidal category (C, &, I) equipped with an identity-on-objects 
strictly involutive functor (—)' : C — C? coherently preserving the symmet- 
ric monoidal structure. The main motivation for dagger symmetric monoidal 
categories is to capture categories that are similar to (dagger) compact closed 
categories in that they admit a canonical trace construction for certain mor- 
phisms, but fail to be closed, much less compact closed. The “compact closed 
part” of a dagger symmetric monoidal category is axiomatized as follows. 


Definition 38 (Nuclear Ideal, [2]). A nuclear ideal N in a dagger symmetric 
monoidal category (C, ®, I, (—)') is a family of subsets N(X,Y) C Home (X,Y), 
X,Y € |C], satisfying the following conditions: 


1. N is closed under Q, (—)', and composition with arbitrary morphisms on both 
sides; 

2. There is a bijection 0 : N(X,Y) — Home (I, Xt @ Y), natural in X and Y, 
coherently preserving the dagger symmetric monoidal structure. 

3. (Compactness) For f € N(B,A) and g € N(B,C), the following diagram 
commutes: 


A—=> Agr “2 _, 4@(Btec) 
of | j= 
C <*> I1@C (BT @ A) @C 


OC) Ride 


The above definition is slightly simplified in that we elide a covariant involutive 
functor (—) : C — C, capturing, e.g. complex conjugation; i.e., we essentially 
restrict to spaces over the reals. 

We proceed to present a representative example of a nuclear ideal in the 
category of Hilbert spaces. Recall that a Hilbert space [23] H over the field R 
of reals is a vector space with an inner product (—,—) : H x H — R that is 
complete as a normed space under the induced norm ||x|| = y (x, £}. Let Hilb 
be the category of Hilbert spaces and bounded linear operators. 

Clearly, R itself is a Hilbert space; linear operators X — R are conventionally 
called functionals. More generally, we consider (multi-)linear functionals X1 x 
... X Xn > R, i.e. maps that are linear in every argument. Such a functional 
is bounded if |f(x1,...,2%n)| < e|]a1||---||v,|| for some constant c € R. We can 
move between bounded linear operators and bounded linear functionals, similarly 
as we can move between relations and functions to the Booleans: 


Proposition 39 ({23, Theorem 2.4.1]). Given a bounded linear operator f : 
X — Y, f°(a,y) = (fa,y) defines a bounded linear functional f°, and every 
bounded linear functional X x Y — R arises in this way. 


Definition 40 (Hilbert-Schmidt operators/functionals). A bounded lin- 
ear functional f : X, x... X Xn —> R is Hilbert-Schmidt if the sum 


Pee eae pars s (f (21, aoe En 
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is finite for some, and then any, orthonormal bases B1,..., Bn of X1,...,Xn, 
respectively. A bounded linear operator f : X — Y is Hilbert-Schmidt if 
the induced functional f° (Proposition 39) is Hilbert-Schmidt, equivalently if 
dep || fall? is finite for some, and then any, orthonormal basis B of X. We 
denote by HS(X,Y) the space of all Hilbert-Schmidt operators from X to Y. 


For X,Y € |Hilb|, the space of Hilbert-Schmidt functionals X x Y — R is 
itself a Hilbert space, denoted X & Y, with the pointwise vector space structure 
and the inner product (f,9) = sen yep f(z, y) g(x,y) where B and B’ are 
orthonormal bases of X and Y, respectively. By virtue of the equivalence between 
f and f°, this induces a Hilbert space structure on HS(X,Y), with induced 
norm || fl, = VX zeg || fx||?. The operator ® forms part of a dagger symmetric 
monoidal structure on Hilb, with unit R. For a bounded linear operator f : 
X >Y, fi: Y — X is the adjoint operator uniquely determined by equation 
(x, fly) = (fx,y). The tensor product of f : A —> B and g : C — D is the 
functional sending h : A x C — R to h(f! x gt) : Bx D — R. Given a € A and 
c € C, let us denote by a®c E€ A@C the functional (a',c') œ> (a,a’) (c, c')}, and 
so, with the above f and g, (f ® g)(a®c) = f(a) 8 g(o). 


Proposition 41 ([2]). The Hilbert-Schmidt operators form a nuclear ideal in 
Hilb with 0 : HS(X, Y) = Hom(R, Xt @Y) defined by 


Of: X—>Y)(r:R)\(x:X,y:Y)=r(fr,y}. 


A crucial fact underlying the proof of Proposition 41 is that HS(X, Y) is isomor- 
phic to Xİ QY, naturally in X and Y. We emphasize that what makes the case of 
Hilb significant is that we do not restrict to finite-dimensional Hilbert spaces. 
In that case all bounded linear operators would be Hilbert-Schmidt and the 
corresponding category would be (dagger) compact closed [35]. In the infinite- 
dimensional case, identities need not be Hilbert-Schmidt, so HS is indeed only 
an ideal and not a subcategory. 

Let N2(X,Y) = {gth: X => Y | h € N(X, Z), g € N(Y, Z)} for any nuclear 
ideal N. The main theorem of the section now can be stated as follows. 


Theorem 42. 1. The guarded ideal induced by the vacuous guarded structure 
on Hilb (see (1)) is precisely HS”, and Hilb is guarded traced over HS?. 

2. Guarded traces in Hilb commute with (—)' in the sense that if f € Hom®((A@ 
U)®B,C®(D®U)), then yB, agu f'yDe@u,c € Hom’ ((D@U)8C, B2(AQU)) 
and try .c,p,a(7B,Aeu f YDeu,c) = 74,8 (trh, Bop (f) Yop 


Clause 1 is a generalization of the result in [2, Theorem 8.16] to parametrized 
traces. Specifically, we obtain agreement with the conventional mathematical 
definition of trace: given f € HS?(X, X), tr(f) = $; (J (e:i), es) for any choice of 
an orthonormal basis (e;);, and HS? (X, X) contains precisely those f for which 
this sum is absolutely convergent independently of the basis. 


328 S. Goncharov and L. Schröder 


7 Conclusions and Further Work 


We have presented and investigated a notion of abstract guardedness and 
guarded traces, focusing on foundational results and important classes of exam- 
ples. We have distinguished a more specific notion of ideal guardedness, which in 
many respects appears to be better behaved than the unrestricted one, in partic- 
ular ensures closer agreement between structural and geometric guardedness. An 
unexpectedly prominent role is played by ‘vacuous’ guardedness, characterized 
by the absence of paths connecting unguarded inputs to guarded outputs; e.g., 
partial traces in Hilbert spaces [2] turn out to be based on this form of guard- 
edness. Further research will concern a coherence theorem for guarded traced 
categories generalizing the well-known unguarded case [22,34], and a generaliza- 
tion of the Int-construction [22], which would relate guarded traced categories to 
a suitable guarded version of compact closed categories. Also, we plan to investi- 
gate guarded traced categories as a basis for generalized Hoare logics, extending 
and unifying previous work [5,15]. 
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Abstract. Esik and Maletti introduced the notion of a proper semir- 
ing and proved that some important (classes of) semirings — Noethe- 
rian semirings, natural numbers — are proper. Properness matters as 
the equivalence problem for weighted automata over a semiring which 
is proper and finitely and effectively presented is decidable. Milius gen- 
eralised the notion of properness from a semiring to a functor. As a 
consequence, a semiring is proper if and only if its associated “cubic 
functor” is proper. Moreover, properness of a functor renders soundness 
and completeness proofs for axiomatizations of equivalent behaviour. 

In this paper we provide a method for proving properness of func- 
tors, and instantiate it to cover both the known cases and several novel 
ones: (1) properness of the semirings of positive rationals and positive 
reals, via properness of the corresponding cubic functors; and (2) proper- 
ness of two functors on (positive) convex algebras. The latter functors 
are important for axiomatizing trace equivalence of probabilistic transi- 
tion systems. Our proofs rely on results that stretch all the way back to 
Hilbert and Minkowski. 


Keywords: Proper semirings - Proper functors - Coalgebra 
Weighted automata - Probabilistic transition systems 


1 Introduction 


In this paper we deal with algebraic categories and deterministic weighted 
automata functors on them. Such categories are the target of generalized deter- 
minization [10,22,23] and enable coalgebraic modelling beyond sets. For exam- 
ple, non-deterministic automata, weighted, or probabilistic ones are coalge- 
braically modelled over the categories of join-semilattices, semimodules for a 
semiring, and convex sets, respectively. Moreover, expressions for axiomatizing 
behavior semantics often live in algebraic categories. 

In order to prove completeness of such axiomatizations, the common app- 
roach [4,21,23] is to prove finality of a certain object in a category of coalgebras 
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over an algebraic category. Proofs are significantly simplified if it suffices to ver- 
ify finality only w.r.t. coalgebras carried by free finitely generated algebras, as 
those are the coalgebras that result from generalized determinization. 

In recent work, Milius [16] proposed the notion of a proper functor on an 
algebraic category that provides a sufficient condition for this purpose. This 
notion is an extension of the notion of a proper semiring introduced by Esik 
and Maletti [8]: A semiring is proper if and only if its “cubic” functor is proper. 
A cubic functor is a functor S x (—)4 where A is a finite alphabet and S is a 
free algebra with a single generator in the algebraic category. Cubic functors 
model deterministic weighted automata which are models of determinizations of 
non-deterministic and probabilistic transition systems. 

Properness is the property that for any two states that are behaviourally 
equivalent in coalgebras with free finitely generated carriers, there is a zig-zag of 
homomorphisms (called a chain of simulations in the original works on weighted 
automata and proper semirings) that identifies the two states and whose nodes 
are all carried by free finitely generated algebras. 

Even though the notion of properness is relatively new for a semiring and 
very new for a functor, results on properness of semirings can be found in more 
distant literature as well. Here is a brief history, to the best of our knowledge: 


— The Boolean semiring was proven to be proper in [3]. 

— Finite commutative ordered semirings were proven to be proper in [7, Theo- 
rem 5.1]. Interestingly, the proof provides a zig-zag with at most seven inter- 
mediate nodes. 

— Any euclidean domain and any skew field were proven proper in [1, Theorem 
3]. In each case the zig-zag has two intermediate nodes. 

— The semiring of natural numbers N, the Boolean semiring B, the ring of 
integers Z and any skew field were proven proper in [2, Theorem 1]. All zig- 
zags were spans, i.e., had a single intermediate node with outgoing arrows. 

— Noetherian semirings were proven proper in [8, Theorem 4.2], commutative 
rings also in [8, Corollary 4.4], and finite semirings as well in [8, Corollary 
4.5], all with a zig-zag being a span. Moreover, the tropical semiring is not 
proper, as proven in [8, Theorem 5.4]. 


Having properness of a semiring, together with the property of the semiring 
being finitely and effectively presentable, yields decidability of the equivalence 
problem (decidability of trace equivalence) for weighted automata. 

In this paper, motivated by the wish to prove properness of a certain func- 
tor F on convex algebras used for axiomatizing trace semantics of probabilistic 
systems in [23], as well as by the open questions stated in [16, Example 3.19], 
we provide a framework for proving properness. We instantiate this framework 
on known cases like Noetherian semirings and N (with a zig-zag that is a span), 
and further prove new results of properness: 


— The semirings Q, and R, of non-negative rationals and reals, respectively, 
are proper. The shape of the zig-zag is a span as well. 
— The functor [0,1] x (—)4 on PCA is proper, again the zig-zag being a span. 
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— The functor F on PCA is proper. This proof is the most involved, and inter- 
estingly, provides the only case where the zig-zag is not a span: it contains 
three intermediate nodes of which the middle one forms a span. 


Our framework requires a proof of so-called extension and reduction lemmas 
in each case. While the extension lemma is a generic result that covers all cubic 
functors of interest, the reduction lemma is in all cases a nontrivial property 
intrinsic to the algebras under consideration. For the semiring of natural numbers 
it is a consequence of a result that we trace back to Hilbert; for the case of convex 
algebra [0,1] the result is due to Minkowski. In the case of F, we use Kakutani’s 
set-valued fixpoint theorem. 

It is an interesting question for future work whether these new properness 
results may lead to new complete axiomatizations of expressions for certain 
weighted automata. 

The organization of the rest of the paper is as follows. In Sect. 2 we give some 
basic definitions and introduce the semirings, the categories, and the functors of 
interest. Section 3 provides the general framework as well as proofs of properness 
of the cubic functors. Sections 4, 5 and 6 lead us to properness of F on PCA. For 
space reasons, we present the ideas of proofs and constructions in the main paper 
and defer all detailed proofs to the arXiv-version [24]. 


2 Proper Functors 


We start with a brief introduction of the basic notions from algebra and coalgebra 
needed in the rest of the paper, as well as the important definition of proper 
functors [16]. We refer the interested reader to [9,11,20] for more details. We 
assume basic knowledge of category theory, see e.g. [14] or [24, Appendix A]. 

Let C be a category and F a C-endofunctor. The category Coalg(F’) of F- 
coalgebras is the category having as objects pairs (X,c) where X is an object of 
C and c is a C-morphism from X to FX, and as morphisms f: (X,c) — (Y,d) 
those C-morphisms from X to Y that make the diagram on the right commute. 

All base categories C in this paper will be algebraic cate- f 
gories, i.e., categories Set’ of Eilenberg-Moore algebras of a E a n 
finitary monad ! in Set. Hence, all base categories are con- F aia FY 
crete with forgetful functor that is identity on morphisms. 

In such categories behavioural equivalence [13,25,26] can be defined as fol- 
lows. Let (X,c) and (Y,d) be F-coalgebras and let x € X and y € Y. Then 
x and y are behaviourally equivalent, and we write x ~ y, if there exists an F- 
coalgebra (Z,e) and Coalg(F)-morphisms f: (X,c) — (Z,e), g: (Y,d) > (Z,e), 
with f(x) = g(y). 


CATERER F TE ea 
f(x)=9(y) 


1 The notions of monads and algebraic categories are central to this paper. We recall 
them in [24, Appendix A] to make the paper better accessible to all readers. 
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If there exists a final coalgebra in Coalg(F’), and all functors considered in this 
paper will have this property, then two elements are behaviourally equivalent if 
and only if they have the same image in the final coalgebra. If we have a zig-zag 
diagram in Coalg(F) 


(X,c) (Z2, €2) es (Y,d) (1) 
(Z1, €1) (Z3, €1) (Zan—1, €1) 


which relates x with y in the sense that there exist elements zo, € Zaz, k = 
1,... n — 1, with (setting zo = x and zon = y) 


fok(z2k) = for—-1(Zor-2), kK=1,...,n, 


then z ~ y. 

We now recall the notion of a proper functor, introduced by Milius [16] which 
is central to this paper. It is very helpful for establishing completeness of regular 
expressions calculi, cf. [16, Corollary 3.17]. 


Definition 2.1. Let T: Set — Set be a finitary monad with unit 7 and multi- 
plication u. A SetT-endofunctor F is proper, if the following statement holds. 

For each pair (T B1, c1) and (T B2, c2) of F-coalgebras with Bı and Bə finite 
sets, and each two elements bı € Bı and bz € By with npg, (b1) ~ npg, (b2), there 
exists a zig-zag (1) in Coalg(F) which relates ng, (bi) with ng, (b2), and whose 
nodes (Z;,ej) all have free and finitely generated carrier. 


This notion generalizes the notion of a proper semiring introduced by Esik 
and Maletti in [8, Definition 3.2], cf. [16, Remark 3.10]. 


Remark 2.2. In the definition of properness the condition that intermediate 
nodes have free and finitely generated carrier is necessary for nodes with incom- 
ing arrows (the nodes Z2,-1 in (1)). For the intermediate nodes with outgoing 
arrows (Z2; in (1)), it is enough to require that their carrier is finitely gener- 
ated. This follows since every F-coalgebra with finitely generated carrier is the 
image under an F-coalgebra morphism of an F-coalgebra with free and finitely 
generated carrier. 

Moreover, note that zig-zags which start (or end) with incoming arrows 
instead of outgoing ones, can also be allowed since a zig-zag of this form can 
be turned into one of the form (1) by appending identity maps. 


Some Concrete Monads and Functors 
We deal with the following base categories. 


— The category S-SMOD of semimodules over a semiring S induced by the monad 
Ts of finitely supported maps into S, see, e.g., [15, Example 4.2.5]. 

— The category PCA of positively convex algebras induced by the monad of 
finitely supported subprobability distributions, see, e.g., [5,6] and [17]. 
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For n € N, the free algebra with n generators in S-SMOD is the direct product S”, 
and in PCA it is the n-simplex A” = {(&,...,&n) | &j = 0, 041 < 1}. 

Concerning semimodule-categories, we mainly deal with the semirings N, 
Q+, and R+, and their ring completions Z, Q, and R. For these semirings the 
categories of S-semimodules are 


— CMON of commutative monoids for N, 

— AB of abelian groups for Z, 

— CONE of convex cones for R4, 

— Q-VEC and R-VEC of vector spaces over the field of rational and real numbers, 
respectively, for Q and R. 


We consider the following functors, where A is a fixed finite alphabet. Recall that 
we use the term cubic functor for the functor T1 x (—)4 where T is a monad 
on Set. We chose the name since T1 x (—)4 assigns to objects X a full direct 
product, i.e., a full cube. 


— The cubic functor F's on S-SMOD, i.e., the functor acting as 


Fs3X =S x X^ for X object of S-SMOD, 
F's f = ids x(f o —) for f: X — Y morphism of S-SMOD. 


The underlying Set functors of cubic functors are also sometimes called 
deterministic-automata functors, see e.g. [10], as their coalgebras are deter- 
ministic weighted automata with output in the semiring. 

— The cubic functor Fjo 1) on PCA, i.e., the functor Fio} X = [0,1] x X^ and 
Fo, f = idio, x(f © —). i 

— A subcubic convex functor F on PCA whose action will be introduced in Def- 
inition 4.1.2 The name originates from the fact that FX is a certain convex 
subset of Fio, X and that Ff = (Foaf lax for Í: X>Y. 


Cubic functors are liftings of Set-endofunctors, in particular, they preserve 
surjective algebra homomorphisms. It is easy to see that also the functor F 
preserves surjectivity, cf. [24, Lemma D.1]. This property is needed to apply the 
work of Milius, cf. [16, Assumptions 3.1]. 


Remark 2.3. We can now formulate precisely the connection between proper 
semirings and proper functors mentioned after Definition 2.1. A semiring S is 
proper in the sense of [8], if and only if for every finite input alphabet A the 
cubic functor F's on S-SMOD is proper. 


We shall interchangeably think of direct products as sets of functions or as 
sets of tuples. Taking the viewpoint of tuples, the definition of F's f reads as 


(Fsf)((o, (%a)aeA)) = (0, (Flea Maeda), o €S, £a E€ X forae A. 


2 This functor was denoted G in [23] where it was first studied in the context of 
axiomatization of trace semantics. 
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A coalgebra structure c: X — F's X writes as 
c(“) = (seas (ca(@))ae A); re X, 


and we use co : X —> S and ca : X — X as generic notation for the components 
of the map c. More generally, we define cw: X — X for any word w € A* 
inductively as ce = idx and Cwa = Ca © Cy, WE A*,a € A. 

The map from a coalgebra (X, c) into the final F's-coalgebra, the trace map, 
is then given as tr-(x) = ((co ° Cw)(2)) iene for x € X. Behavioural equivalence 
for cubic functors is the kernel of the trace map. 


3  Properness of Cubic Functors 


Our proofs of properness in this section and in Sect.6 below start from the 
following idea. Let S be a semiring, and assume we are given two F’s-coalgebras 
which have free finitely generated carrier, say (S"!,c,) and (S", c2). Moreover, 
assume zı E€ S"! and x2 E€ S”? are two elements having the same trace. For 
j =1,2, let dj: S™ x S”? — Fs(S™ x S”2) be given by 


dylur y2) = (cio(¥))s((Cra(Yi)s€2a(¥2))Jaea): 


Denoting by mj: S”! x S"? — S™ the canonical projections, both sides of the 
following diagram separately commute. 


gm Ti gri x Gre T2 gre 


Cy dı Æ d2 c2 


Fst, Fst2 


Fs8™ <— = F5(S™ x S") FsS™ 


However, in general the maps dı and də do not coincide. 
The next lemma contains a simple observation: there exists a subsemimodule 


Z of S” x S", such that the restrictions of dı and dz to Z coincide and turn Z 
into an F's-coalgebra. 


Lemma 3.1. Let Z be the subsemimodule of S™ x S”? generated by the pairs 
(Ci (21), Cow(2)) for WE A*. Then dilz = də|z and d;(Z) C Fs(Z). 
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The significance of Lemma 3.1 in the present context is that it leads to the 
diagram (we denote d = d,|z) 


S™x S”? 
gu <7 > T Gna 
C1 d c2 
Fesh <2 pez — > Fos" 
In 


Sx (S”1x S"2)4 
In other words, it leads to the zig-zag in Coalg( Fs) 


(S™, c)) <—*— (Z,d) —*—> (8, ca) (2) 


This zig-zag relates x, with x2 since (£1, £2) € Z. If it can be shown that Z is 
always finitely generated, it will follow that F's is proper. 

Let S be a Noetherian semiring, i.e., such that every S-subsemimodule of 
some finitely generated S-semimodule is itself finitely generated. Then Z is, as an 
S-subsemimodule of S"! x S", finitely generated. We reobtain [8, Theorem 4.2]. 


Corollary 3.2 (Esik—Maletti 2010). Every Noetherian semiring is proper. 


Our first main result is Theorem 3.3 below, where we show properness of the 
cubic functors F's on S-SMOD, for S being one of the semirings N, Q+, R+, and of 
the cubic functor Fjo} on PCA. The case of Fy is known from [2, Theorem 4j’, 
the case of F',1) is stated as an open problem in [16, Example 3.19]. 


Theorem 3.3. The cubic functors Fy, Fo,, Fr}, and F191) are proper. 

In fact, for any two coalgebras with free finitely generated carrier and any two 
elements having the same trace, a zig-zag with free and finitely generated nodes 
relating those elements can be found, which is a span (has a single intermediate 
node with outgoing arrows). 


The proof proceeds via relating to the Noetherian case. It always follows the 
same scheme, which we now outline. Observe that the ring completion of each of 
N, Q4}, Ri, is Noetherian (for the last two it actually is a field), and that [0,1] 
is the positive part of the unit ball in R. 


Step 1. The extension lemma: We use an extension of scalars process to pass 
from the given category C to an associated category E-MOD with a Noetherian 
ring E. This is a general categorical argument. 


3 In [2] only a sketch of the proof is given, cf. [2, Sect. 3.3]. In this sketch one important 
point is not mentioned. Using the terminology of [2, Sect. 3.3]: it could a priori be 
possible that the size of the vectors in G and the size of G both oscillate. 
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To unify notation, we agree that S may also take the value [0,1], and that 
Tio,1] is the monad of finitely supported subprobability distributions giving rise 
to the category PCA. 


s N Q4 R4 (0, 1] 
C N-SMOD (CMON) | Q,-SMOD R-SMOD (CONE) | PCA 
E-MOD || Z-MOD (AB) Q-MOD (Q-VEC) IR-MOD (R-VEC) | R-MOD (R-VEC) 


For the formulation of the extension lemma, recall that the starting category 
C is the Eilenberg-Moore category of the monad Ts and the target category 
(-MOD is the Eilenberg-Moore category of Tg. We write ns and ps for the unit 
and multiplication of Tg and analogously for Tg. We have Ts < Tp, via the 
inclusion monad morphism +: Ts Tg given by tx(u) = u, as Ne = LO ns 


and ug © ll = ų o ug where ww Em Sees Ts. Recall that a monad 
morphism 1: Ts — Tg defines a functor M,: Set: — Set! which maps a Tg- 
algebra (X,ax) to (X,tx © ax) and is identity on morphisms. Obviously, M, 
commutes with the forgetful functors Us : Set? — Set and Ug : Set?! — Set, 
i.e., Uş o M, = Ug. 


Definition 3.4. Let (X,ax) € Set® and (Y, ay) € Set: where Tg and Tg are 
monads with Ts < Tg via v: Ts Tg. A Set-arrow h: X — Y is a Ts < Tg- 
homomorphism from (X, ax) to (Y,ay) if and only if the following diagram 
commutes (in Set) 


RX — © SY 
axy i yay 
SS ey 


where th denotes the map th ger Tgh o tx = ty o Tsh. In other words, a 
Ts < Tg-homomorphism from (X,ax) to (Y,ay) is a morphism in Set?’ from 
(X,ax) to M(Y,ay). 


Now we can formulate the extension lemma. 


Proposition 3.5 (Extension Lemma). For every Fs-coalgebra TsB S 
Fs(TsB) with free finitely generated carrier TsB for a finite set B, there exists 


an Fg-coalgebra TgB > Fz (TzB) with free finitely generated carrier TgB such 
that 


Fs(TsB) — >F (T B) 


where the horizontal arrows (tp and t X ie) are Ts < Tg-homomorphisms, and 
moreover they both amount to inclusion. 
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Step 2. The basic diagram: Let n1,n2 € N, let Bj be the n;-element set consisting 
of the canonical basis vectors of E”/, and set X; = TsB;. Assume we are given 
Fs-coalgebras (Xj, c1) and (X2, c2), and elements x; € X; with tre, £1 = tre, £2. 

The extension lemma provides Fg-coalgebras (E",¢;) with ¢j|x, = cj. 
Clearly, tra, 71 = tra, x2. Using the zig-zag diagram (2) in Coalg( Fg) and append- 
ing inclusion maps, we obtain what we call the basic diagram. In this diagram 
all solid arrows are arrows in E-MOD, and all dotted arrows are arrows in C. The 
horizontal dotted arrows denote the inclusion maps, and 7; are the restrictions 
to Z of the canonical projections. 


rn Pn 
ly E”r2 


UI 
X oa > Eu iis Z m DNA oa Xs 
C1 €1 d Č2 c2 
Yy Y Y 
FgXj => FgE™ Em pm Fem FRE? <- FgXo 
IN 


ix (E™!x E”2)4 
Commutativity of this diagram yields d(n;*(X;)) C (Fpn;)~'(FsX;) for 
j = 1,2. Now we observe the following properties of cubic functors. 


Lemma 3.6. We have FgeX N FsY = Fs(X NY). Moreover, if Y; C X;, then 
(Feri) H (FsY1) M (F m2)! (FsY2) = Fs(Yı x Yə). 


Using this, yields 
d(Z A (X1 x X2)) C FeZ N (Fer) '(FsX1) 9 (Ferz) (FsX2) 
= FgZ N F(X x X2) = Fs(ZN (Xı x Xə)). 


This shows that Z N (Xı x X2) becomes an Fs-coalgebra with the restriction 
d|zn(XıxX2): Again referring to the basic diagram, we have the following zig- 
zag in Coalg(Fs) (to shorten notation, denote the restrictions of d,7,72 to 
ZO (X1 x X2) again as d, 71, T2): 


(X1,¢1) <—*— (ZN (X x X2), d) —? + (Xo, c2) (3) 


This zig-zag relates xı with xə since (x1, £2) € ZN (Xı x X2). 


Step 3. The reduction lemma: In view of the zig-zag (3), the proof of Theorem 3.3 
can be completed by showing that ZN(X1 x X2) is finitely generated as an algebra 
in C. Since Z is a submodule of the finitely generated module E”! x E”? over the 
Noetherian ring E, it is finitely generated as an E-module. The task thus is to 
show that being finitely generated is preserved when reducing scalars. 

This is done by what we call the reduction lemma. Contrasting the exten- 
sion lemma, the reduction lemma is not a general categorical fact, and requires 
specific proof in each situation. 
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Proposition 3.7 (Reduction Lemma). Let ni,n2 € N, let Bj be the set 
consisting of the nj canonical basis vectors of E”), and set X; = TsB;. Moreover, 
let Z be an E-submodule of E™ x E"™?. Then ZN (X, x Xə) is finitely generated 
as an algebra in C. 


4 A Subcubic Convex Functor 


Recall the following definition from [23, p. 309]. 
Definition 4.1. We introduce a functor F: PCA — PCA. 
1. Let X be a PCA. Then 

Px = {(0,9) € [0,1] x | 


dng EN. dpa; € [0,1], £a; E X for j =1,...,na,a€ A. 
o+ 5 X Paj <1, d(a) = DT 
acA j=l j=1 
2. Let X,Y be PCAs, and f: X — Y a convex map. Then Ff: FX — FY is the 
map Ff = ido x(fo—). 


For every X we have FX c Fýo,]X, and for every f: X — Y we have 
Ff= (Fio,1]f)|ẹy. For this reason, we think of F as a subcubic functor. 
The definition of F can be simplified. 


Lemma 4.2. Let X be a PCA, then 


Px = fco, f) € [0,1] x X4 |3pa € [0,1], £a € X fora € A. 


o+ X pa < 1, f(a) = pata}. 


acA 


From this representation it is obvious that F is monotone in the sense that 


- If X, C Xe, then FX, C FX. 
— If fi: Xı —> Yi, fo: Xo =% Yə with Xı C Xə, Yı C Yə and falx = fi, then 
Pheppa je 


Note that F does not preserve direct products. T 

For a PCA X whose carrier is a compact subset of a euclidean space, FX 
can be described with help of a geometric notion, namely using the Minkowksi 
functional of X. Before we can state this fact, we have to make a brief digression 
to explain this notion and its properties. 


Definition 4.3. Let X C R” be a PCA. The Minkowski functional of X is the 
map ux: R” — [0,00] defined as ux(x) = inf{t > 0 | x € tX}, where the 
infimum of the empty set is understood as oo. 
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Minkowski functionals, sometimes also called gauge, are a central and exhaus- 
tively studied notion in convex geometry, see, e.g., [19, p. 34] or [18, p. 28]. 

We list some basic properties whose proof can be found in the mentioned 
textbooks. 


Lx (px) = pux (x) for z € R",p > 0, 

ux(z +y) < x(x) + ux(y) for x,y € R”, 

Lxay (x) = max{ ux (x), uy (x)} for x € R”. 

If X is bounded, then x(x) = 0 if and only if z = 0. 


AHNE 


The set X can almost be recovered from uy. 


5. {x E R” | ux(x)<1}CXC{reER”]|puxlz)<1}. 
6. If X is closed, equality holds in the second inclusion of 5. 
7. Let X,Y be closed. Then X C Y if and only if wx > py. 


Example 4.4. As two simple examples, consider the n-simplex A” C R” and a 
convex cone C C R”. Then (here > denotes the product order on R”) 


= Dafa T= Eeen) > 0, — 0 s TeL, 
Han (x) = . , otherwise. Ho(2) = co, otherwise. 


Observe that A” = {x € R” | wan(x) < 1}. 


Another illustrative example is given by general pyramids in a euclidean 
space. This example will play an important role later on. 


Example 4.5. For u € R” consider the set 
X = {x € R” |x > 0 and (x,u) < 1}, 


where (-,-) denotes the euclidean scalar product on R”. The set X is intersection 
of the cone Rẹ with the half-space given by the inequality (x,u) < 1, hence it 
is convex and contains 0. Thus X is a PCA. 

Let us first assume that u is strictly positive, i.e., u > 0 and no component 
of u equals zero. Then X is a pyramid (in 2-dimensional space, a triangle). 


The n-simplex A” is the pyramid obtained using u = (1,...,1). 
The Minkowski functional of the pyramid X associated with wu is 


x(x) =(x,u) ifa>0, px(a) = oo otherwise. 
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Write u = 75_, ajej, where ej is the j-th canonical basis vector, and set yj = 
ej Clearly, {y1,.--, Yn} is linearly independent. Each vector x = Vea jéj 
can be written as 7 = ya a;)y;, and this is a subconvex combination if and 
only if £; > 0 and X; Ea; < 1, i.e., if and only if x € X. Thus X is generated 
by {y1,---;Yn} as a PCA. 

The linear map given by the diagonal matrix made up of the a,’s induces a 
bijection of X onto A”, and maps the y;’s to the corner points of A”. Hence, X 
is free with basis {y1,..., Yn}. 

If u is not strictly positive, the situation changes drastically. Then X is not 
finitely generated as a PCA, because it is unbounded whereas the subconvex hull 
of a finite set is certainly bounded. 


(x,u)=1 


Now we return to the functor F. 


Lemma 4.6. Let X C R” be a PCA, and assume that X is compact. Then 


FX = { (0,4) ER x (R”)4| 020, o+ Y` ux(o(a)) < ik 


acA 


In the following we use the elementary fact that every convex map has a 
linear extension. 


Lemma 4.7. Let Vi, V2 be vector spaces, let X C V, be a PCA, and let c: X > V2 
be a convex map. Then c has a linear extension č: V, — V2. If span X = V, 
this extension is unique. 


Rescaling in this representation of FX leads to a characterisation of F- 
coalgebra maps. We give a slightly more general statement. 


Corollary 4.8. Let X,Y C R” be PCA s, and assume that X and Y are compact. 
Further, let c: X — R, x (R")4 be a convex map, and let č: R” > R x (R")4 
be a linear extension of c. Then c(X) C FY, if and only if 


G(x) + $ py (Ga(z)) <ux(z), s ER”. (4) 
acA 


5 An Extension Theorem for F-coalgebras 


In this section we establish an extension theorem for F -coalgebras. It states that 
an F -coalgebra, whose carrier has a particular geometric form, can, under a mild 
additional condition, be embedded into an F-coalgebra whose carrier is free and 
finitely generated. 
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Theorem 5.1. Let (X,c) be an F-coalgebra whose carrier X is a compact subset 
of a euclidean space R” with A” C X C RY. Assume that the output map co 
does not vanish on invariant coordinate hyperplanes in the sense that (e; denotes 
again the j-th canonical basis vector in R”) 


ALE {1,... n}. 
I#0, colej)=0,j €I, calej) C span{e;|i€I},a€A,jEI. 


(5) 


Then there exists an F-coalgebra (Y,d), such that X C Y C R}, the inclusion 
map ı: X —> Y is a Coalg(F)-morphism, and Y is the subconvex hull of n linearly 
independent vectors (in particular, Y is free with n generators). 


The idea of the proof can be explained by geometric intuition. Say, we have 
an F-coalgebra (X, c) of the stated form, and let č: R” — R x (R")4 be the 
linear extension of c to all of R”, cf. Lemma 4.7. 


Remembering that pyramids are free and finitely generated, we will be done if 
we find a pyramid Y D X which is mapped into FY by č: 


bee e BY 
i c= č|x di 
& ERA FX 


ey Sa 


This task can be reformulated as follows: For each pyramid Y; containing X let 
P(Y1) be the set of all pyramids Y2 containing X, such that č(Y2) C FY. If we 
find Y with Y € P(Y), we are done. 

Existence of Y can be established by applying a fixed point principle for set- 
valued maps. The result sufficient for our present level of generality is Kakutani’s 
generalisation [12, Corollary] of Brouwers fixed point theorem. 


6 Properness of F 


In this section we give the second main result of the paper. 


Theorem 6.1. The functor F is proper. 

In fact, for each two given coalgebras with free finitely generated carrier and 
each two elements having the same trace, a zig-zag with free and finitely generated 
nodes relating those elements can be found, which has three intermediate nodes 
with the middle one forming a span. 
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We try to follow the proof scheme familiar from the cubic case. Assume we 
are given two F -coalgebras with free finitely generated carrier, say (A”!, c1) and 
(A”2, co), and elements zı E€ A™ and z2 E€ A”? having the same trace. Since 
FA" CRx (IR"7)4 we can apply Lemma 4.7 and obtain F'g-coalgebras (R™ , é;) 
with €;|,»; = cj. This leads to the basic diagram: 


Rx R”? 
UI 
Tı T2 
A") singe RPI < WA > IR e A” 
C1 ey d 2 C2 
y y 
MN An n Frm Faq n D An 
FA™ -> FRR" <——— FRZ FRR™ <- FA”? 
IN 


Rx (R™x R”2)4 


At this point the line of argument known from the cubic case breaks: it is not 
granted that ZN (A" x A"2) becomes an F-coalgebra with the restriction of d. 

The substitute for ZN (A"! x A”) suitable for proceeding one step further is 
given by the following lemma, where we tacitly identify R™ x R”? with R™+”2. 


Lemma 6.2. We have d(ZN2A™+"2) C F(Z N2A™+n2), 


This shows that ZM2A™+"2 becomes an F -coalgebra with the restriction 
of d. Still, we cannot return to the usual line of argument: it is not granted that 
m)(ZA2A™+"2) C As, This forces us to introduce additional nodes to produce 
a zig-zag in Coalg(F ). These additional nodes are given by the following lemma. 
There co(—) denotes the convex hull. 


Lemma 6.3. Set Y; = co( 4" Un,j(ZN2A™+*"2)), Then č;(Y;) C FY}. 


This shows that Y; becomes an F -coalgebra with the restriction of ¢;. We 
are led to a zig-zag in Coalg(F’): 


Cc Tı T2 i 2 
(A, c,) — > (Y1, G1) <— (Zn 2AM na, d) — + (Yo, č) <—— (A™, c2) 


This zig-zag relates zı and x2 since (£1, £2) E€ Z N 2ZA™MT"2, 

Using Minkowski’s Theorem and the argument from [24, Lemma B.8] shows 
that the middle node has finitely generated carrier. The two nodes with incoming 
arrows are, as convex hulls of two finitely generated PCAs, of course also finitely 
generated. But in general they will not be free (and this is essential, remember 
Remark 2.2). Now Theorem 5.1 comes into play. 
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Lemma 6.4. Assume that each of (A™!,c1) and (A”?,c2) satisfies the following 
condition: 


AIC {l,...,n}. 

IAQ, c;,(en) =0,k EI, cj (ek) C co({e; | i eT} U{O}) ae Ake TL. 
Then there exist free finitely generated PCAs U; with Y; C Uj C RY? which satisfy 
at) © FU;. 

This shows that U;, under the additional assumption (6) on (4, cj), 
becomes an F’-coalgebra with the restriction of čj. Thus we have a zig-zag in 


(6) 


Coalg(F ) relating zı and x2 whose nodes with incoming arrows are free and 
finitely generated, and whose node with outgoing arrows is =, generated: 


(A”", C1) z > (Y1, č) < (Z n 24mm d) om > (Yo, Č2) < Z (42 , C2) 


ee Ne 


(U1, č) (U2, €2) 


us 


Removing the additional assumption on (4% , cj) is an easy exercise. 


Lemma 6.5. Let (A”,c) be an F-coalgebra. Assume that I is a nonempty subset 
of {1,...,n} with 


Colek) =0, KET and calek) €co({e:|ie I}U{O}), ae A kET. (7) 
Let X be the free PCA with basis {ep | k € {1,...,n}\I}, and let f: A” — X be 


the PCA-morphism with f(e,) =0 ifk € I and f(ek) = ep if k ¢ I. Further, let 
g: X — [0,1] x X4 be the PCA-morphism with 


gen) = (coler), (F(caler))) ea)» kE {hn} 


Then (X,g) is an F-coalgebra, and f is an F-coalgebra morphism of (A”,c) 
onto (X,g). 


Corollary 6.6. Let (A”,c) be an F-coalgebra. Then there exists k < n, an F- 
coalgebra (AF, g), such that (A*,g) satisfies the assumption in Lemma 6.4 and 
such that there exists an F-coalgebra map f of (A",c) onto (AF, g). 


The proof of Theorem 6.1 is now finished by putting together what we showed 
so far. Starting with F-coalgebras (A”s,c;) without any additional assumptions, 
and elements x; € A” having the same trace, we first reduce by means of 
Corollary 6.6 and then apply Lemma 6.4. This gives a zig-zag as required: 


(A™ 5 C1) (Z N QAM tke ; d) (42 5 C2) 
pı SS a ~~ a 

y y 
(A*, gi) => (U1, g1) (U2, J2) = (A*, ga) 


and completes the proof of properness of F. 
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Abstract. One perspective on quantum algorithms is that they are clas- 
sical algorithms having access to a special kind of memory with exotic 
properties. This perspective suggests that, even in the case of quantum 
algorithms, the control flow notions of sequencing, conditionals, loops, 
and recursion are entirely classical. There is however, another notion 
of control flow, that is itself quantum. The notion of quantum condi- 
tional expression is reasonably well-understood: the execution of the two 
expressions becomes itself a superposition of executions. The quantum 
counterpart of loops and recursion is however not believed to be mean- 
ingful in its most general form. 

In this paper, we argue that, under the right circumstances, a rea- 
sonable notion of quantum loops and recursion is possible. To this aim, 
we first propose a classical, typed, reversible language with lists and fix- 
points. We then extend this language to the closed quantum domain 
(without measurements) by allowing linear combinations of terms and 
restricting fixpoints to structurally recursive fixpoints whose termina- 
tion proofs match the proofs of convergence of sequences in infinite- 
dimensional Hilbert spaces. We additionally give an operational seman- 
tics for the quantum language in the spirit of algebraic lambda-calculi 
and illustrate its expressiveness by modeling several common unitary 
operations. 


1 Introduction 


The control flow of a program describes how its elementary operations are orga- 
nized along the execution. Usual primitive control mechanisms are sequences, 
tests, iteration and recursion. Elementary operations placed in sequence are exe- 
cuted in order. Tests allow conditionally executing a group of operations and 
changing the course of the execution of the program. Finally, iteration gives the 
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possibility to iterate a process an arbitrary number of times and recursion gener- 
alizes iteration to automatically manage the history of the operations performed 
during iteration. The structure of control flow for conventional (classical) com- 
putation is well-understood. In the case of quantum computation, control flow is 
still subject to debate. This paper proposes a working notion of quantum control 
in closed quantum systems, shedding new light on the problem, and clarifying 
several of the previous concerns. 


Quantum Computation. A good starting point for understanding quantum com- 
putation is to consider classical circuits over bits but replacing the bits with 
qubits, which are intuitively superpositions of bits weighed by complex num- 
ber amplitudes. Computationally, a qubit is an abstract data type governed 
by the laws of quantum physics, whose values are normalized vectors of com- 
plex numbers in the Hilbert space C? (modulo a global phase). By choosing an 
orthonormal basis, say the classical bits tt and ff, a qubit can be regarded as a 
complex linear combination, a tt + @ ff, where a and ( are complex numbers 
such that |a|? +|3|? = 1. This generalizes naturally to multiple qubits: the state 
of a system of n qubits is a vector in the Hilbert space (€7)®”. 

The operations one can perform on a quantum memory are of two kinds: 
quantum gates and measurements. Quantum gates are unitary operations that 
are “purely quantum” in the sense that they modify the quantum memory with- 
out giving any feedback to the outside world: the quantum memory is viewed 
as a closed system. A customary graphical representation for these operations 
is the quantum circuit, akin to conventional boolean circuits: wires represent 
qubits while boxes represents operations to perform on them. One of the peculiar 
aspects of quantum computation is that the state of a qubit is non-duplicable [1], 
a result known as the no-cloning theorem. A corollary is that a quantum circuit 
is a very simple kind of circuit: wires neither split nor merge. 

Measurement is a fundamentally different kind of operation: it queries the 
state of the quantum memory and returns a classical result. Measuring the state 
of a quantum bit is a probabilistic and destructive operation: it produces a 
classical answer with a probability that depends on the amplitudes a, 8 in the 
state of the qubit while projecting this state onto tt or ff, based on the result. 

For a more detailed introduction to quantum computation, we refer the reader 
to recent textbooks (e.g., [2]). 


Control Flow in Quantum Computation. In the context of quantum program- 
ming languages, there is a well-understood notion of control flow: the so-called 
classical control flow. A quantum program can be seen as the construction, 
manipulation and evaluation of quantum circuits [3,4]. In this setting, circuits 
are simply considered as special kinds of data without much computational con- 
tent, and programs are ruled by regular classical control. 

One can however consider the circuit being manipulated as a program in 
its own right: a particular sequence of execution on the quantum memory is 
then seen as a closed system. One can then try to derive a notion of quantum 
control [5], with “quantum tests” and “quantum loops”. Quantum tests are a 
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bit tricky to perform [5,6] but they essentially correspond to well-understood 
controlled operations. The situation with quantum loops is more subtle [6,7]. 
First, a hypothetical quantum loop must terminate. Indeed, a non-terminating 
quantum loop would entail an infinite quantum circuit, and this concept has so 
far no meaning. Second, the interaction of quantum loops with measurement is 
problematic: it is known that the canonical model of open quantum computa- 
tion based on superoperators [8,9] is incompatible with such quantum control [6]. 
Finally, the mathematical operator corresponding to a quantum loop would need 
to act on an infinite-dimensional Hilbert space and the question of mixing pro- 
gramming languages with infinitary Hilbert spaces is still an unresolved issue. 


Our Contribution. In this paper, we offer a novel solution to the question of 
quantum control: we define a purely quantum language, inspired by Theseus [10], 
featuring tests and fixpoints in the presence of lists. More precisely, we propose 
(1) a typed, reversible language, extensible to linear combinations of terms, with 
a reduction strategy akin to algebraic lambda-calculi [11-13]; (2) a model for 
the language based on unitary operators over infinite-dimensional Hilbert spaces, 
simplifying the Fock space model of Ying [7]. This model captures lists, tests, and 
structurally recursive fixpoints. We therefore settle two longstanding issues. (1) 
We offer a solution to the problem of quantum loops, with the use of terminating, 
structurally recursive, purely quantum fixpoints. We dodge previously noted con- 
cerns (e.g., [6]) by staying in the closed quantum setting and answer the problem 
of the external system of quantum “coins” [7] with the use of lists. (2) By using a 
linear language based on patterns and clauses, we give an extensible framework 
for reconciling algebraic calculi with quantum computation [11, 12,16]. 

In the remainder of the paper, we first introduce the key idea underlying our 
classical reversible language in a simple first-order setting. We then generalize the 
setting to allow second-order functions, recursive types (e.g., lists), and fixpoints. 
After illustrating the expressiveness of this classical language, we adapt it to the 
quantum domain and give a semantics to the resulting quantum language in 
infinite-dimensional Hilbert spaces. Technical material that would interrupt the 
flow or that is somewhat complementary has been relegated to an extended 
version of the paper [17]. 


2 Pattern-Matching Isomorphisms 


The most elementary control structure in a programming language is the ability 
to conditionally execute one of several possible code fragments. Expressing such 
an abstraction using predicates and nested if-expressions makes it difficult for 
both humans and compilers to reason about the control flow structure. Instead, 
in modern functional languages, this control flow paradigm is elegantly expressed 
using pattern-matching. This approach yields code that is not only more concise 
and readable but also enables the compiler to easily verify two crucial properties: 
(i) non-overlapping patterns and (ii) exhaustive coverage of a datatype using a 
collection of patterns. Indeed most compilers for functional languages perform 
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these checks, warning the user when they are violated. At a more fundamental 
level, e.g., in type theories and proof assistants, these properties are actually nec- 
essary for correct reasoning about programs. Our first insight, explained in this 
section, is that these properties, perhaps surprisingly, are sufficient to produce 
a simple and intuitive first-order reversible programming language. 


f :: Either Int Int -> a g :: (Bool,Int) -> a h :: Either Int Int <-> (Bool,Int) 
f (Left 0) = undefined g (False,n) = undefined h (Left 0) = (True,0) 
f (Left (n+1)) = undefined g (True,0) = undefined h (Left (n+1)) = (False,n) 
f (Right n) = undefined g (True,n+1) = undefined h (Right n) = (True,n+1) 
Fig. 1. A skeleton Fig. 2. Another skeleton Fig. 3. An isomorphism 


2.1 An Example 


We start with a small illustrative example, written in a Haskell-like syn- 
tax. Figure1 gives the skeleton of a function f that accepts a value of type 
Either Int Int; the patterns on the left-hand side exhaustively cover every 
possible incoming value and are non-overlapping. Similarly, Fig.2 gives the 
skeleton for a function g that accepts a value of type (Bool,Int); again the 
patterns on the left-hand side exhaustively cover every possible incoming value 
and are non-overlapping. Now we claim that since the types Either Int Int 
and (Bool,Int) are isomorphic, we can combine the patterns of f and g into 
symmetric pattern-matching clauses to produce a reversible function between 
the types Either Int Int and (Bool,Int). Figure3 gives one such function; 
there, we suggestively use <-> to indicate that the function can be executed in 
either direction. This reversible function is obtained by simply combining the 
non-overlapping exhaustive patterns on the two sides of a clause. In order to be 
well-formed in either direction, these clauses are subject to the constraint that 
each variable occurring on one side must occur exactly once on the other side 
(and with the same type). Thus it is acceptable to swap the second and third 
right-hand sides of h but not the first and second ones. 


2.2 Terms and Types 


We present a formalization of the ideas presented above using a simple typed 
first-order reversible language. The language is two-layered. The first layer con- 
tains values, which also play the role of patterns. These values are constructed 
from variables ranged over x and the introduction forms for the finite types a, b 
constructed from the unit type and sums and products of types. The second 
layer contains collections of pattern-matching clauses that denote isomorphisms 
of type a +> b. Computations are chained applications of isomorphisms to values: 
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(Value types) a,b := 1 | apb | a&b 

(Iso types) T z= ab 

(Values) v = () |x | inj,v | inj v | (w1, v2) 
(Isos) w = {| vuv | vaev... } 
(Terms) t :=v|wt 


The typing rules are defined using two judgments: AF, v : a for typing values (or 
patterns) and terms; and Fu w : a = b for typing collections of pattern-matching 
clauses denoting an isomorphism. As it is customary, we write a1 @ a2 @---@an 
for ((a1 ® a2) Q- Q an), and similarly (£1, £2,..., En) for ((@1,22),...,Lpn). 
The typing rules for values are the expected ones. The only subtlety is the 
fact that they are linear: because values act as patterns, we forbid the repetition 
of variables. A typing context A is a set of typed variables x1 : a1,...,%n : Gn. 
A value typing judgment is valid if it can be derived from the following rules: 


Aı FH v:a A Fy ve:b 
Fa Oi; z:aFy £:aa; Ay, Ag Fy (v1, V2) :a@ b. 


Aty,via AF v:b 
AF, inj,v:a@b, AF, inj v:a@b, 


The typing rule for term construction is simple and forces the term to be closed: 


Fyt:a Fy,w:acedb 
Fy, wt:b 


The most interesting type rule is the one for isomorphisms. We present the rule 
and then explain it in detail: 


Ay Fy visa AnFytnia Vij, ujlv; dim(a)=n 
Ai Fy viib 7 Ankyv,:b Vi#j, vv; dim(b)=n 
Fo { | v vi | vev ... J:a b, (1) 


The rule relies on two auxiliary conditions as motivated in the beginning of the 
section. These conditions are (i) the orthogonality judgment vv’ that formalizes 
that patterns must be non-overlapping and (ii) the condition dim(a) = n which 
formalizes that patterns are exhaustive. The rules for deriving orthogonality of 
values or patterns are: 


inj, vı L inj, ve inj, vı L inj, ve 
Vi +L V2 Uy +L V2 U1 alle U2 vı aa V2 


inj; vı L inj; v2 inj, vi) L inj, v2 (v,v1) L (v, v2) (w1, v} L (ve, 0’) 


The idea is simply that the left and right injections are disjoint subspaces of val- 
ues. To characterize that a set of patterns is exhaustive, we associate a dimension 
with each type. For finite types, this is just the number of elements in the type 
and is inductively defined as follows: dim(1) = 1; dim(a @ b) = dim(a) + dim(b); 
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and dim(a® b) = dim(a) - dim(0). For a given type a, if a set of non-overlapping 
clauses has cardinality dim(a), it is exhaustive. Conversely, any set of exhaus- 
tive clauses for a type a either has cardinality dim(a) or can be extended to an 
equivalent exhaustive set of clauses of cardinality dim(a). 


2.3 Semantics 


We equip our language with a simple operational semantics on terms, using the 
natural notion of matching. To formally define it, we first introduce the notion 
of variable assignation, or valuation, which is a partial map from a finite set of 
variables (the support) to a set of values. We denote the matching of a value w 
against a pattern v and its associated valuation ø as o[v] = w and define it as 
follows: 


o= {x v} o|v] = w o|v] = w 


o[0]=0 ol]ļ=v olinj;v]=injiw oļlinj, v] = inj, w 


oz[vıi] =wı o1[v2] = we supp(o1)Msupp(o2)=9 o= c01 U02 


a|(vi, v2)] = (wi, we) 


If o is a valuation whose support contains the variables of v, we write o(v) for 
the value where the variables of v have been replaced with the corresponding 
values in ø. 

Given these definitions, we can define the reduction relation on terms. The 
redex { | vı = v| | v2 = v ... }u reduces to o(vj) whenever o[vj] = v. 
Because of the conditions on patterns, a matching pattern exists by exhaus- 
tivity of coverage, and this pattern is unique by the non-overlapping condition. 
Congruence holds: wt — wt’ whenever t — t’. As usual, we write s — t to say 
that s rewrites in one step to t and s —* t to say that s rewrites to t in 0 or 
more steps. 

Because of the conditions set on patterns, the rewrite system is deterministic. 
More interestingly, we can swap the two sides of all pattern-matching clauses in 
an isomorphism w to get w+. The execution of w! is the reverse execution of 
w in the sense that w~1(w t) >* t and w(w! t) —* Y. 


3 Second-Order Functions, Lists, and Recursion 


The first-order reversible language from the previous section embodies symmet- 
ric-pattern matching clauses as its core notion of control. Its expressiveness is 
limited, however. We now show that it is possible to extend it to have more in 
common with a conventional functional language. To that end, we extend the 
language with the ability to parametrically manipulate isomorphisms, with a 
recursive type (lists), and with recursion. 
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3.1 Terms and Types 


Formally, the language is now defined as follows. 


(Val & term types) a,b:= 1 | a@b | a@b | [a] 

(Iso types) T:= aob | (ab) >T 

(Values) v= ()| <x | inj,v | inj, v | (v1, v2) 

(Products) p:= () | x | (pi, pe) 

(Extended Values) ex= v | letp; =w po ine 

(Isos) wr= { | use] vo eg... } | Afw | 
fw | f | wwe 

(Terms) t= () | x | inj,t | inj, t | (t1,t2) | 


wt | letp= t intz 


We use variables f to span a set of iso-variables and variables x to span a set 
of term-variables. We extend the layer of isos so that it can be parameterized 
by a fixed number of other isos, i.e., we now allow higher-order manipulation 
of isos using Af.w, iso-variables, and applications. Isos can now be used inside 
the definition of other isos with a let-notation. These let-constructs are however 
restricted to products of term-variables: they essentially serve as syntactic sugar 
for composition of isos. An extended value is then a value where some of its free 
variables are substituted with the result of the application of one or several isos. 
Given an extended value e, we define its bottom value, denoted with Val(e) as 
the value “at the end” of the let-chain: Val(v) = v, and Val(let p = wp in e) = 
Val(e). The orthogonality of extended values is simply the orthogonality of their 
bottom value. 

As usual, the type of lists [a] of elements of type a is a recursive type and 
is equivalent to 1 9 (a x [a]). We build the value [|| (empty list) as inj, () and 
the term tı : t2 (cons of tı and tz) as inj, (t1,t2). In addition, to take full 
advantage of recursive datatypes, it is natural to consider recursion. Modulo a 
termination guarantee it is possible to add a fixpoint to the language: we extend 
isos with the fixpoint constructor uf.w. Some reversible languages allow infinite 
loops and must work with partial isomorphisms instead. Since we plan on using 
our language as a foundation for a quantum language we insist of termination. 

Since the language features two kinds of variables, there are typing contexts 
(written A) consisting of base-level typed variables of the form z : a, and typing 
context (written YW) consisting of typed iso-variables of the form f : T. As terms 
and values contain both base-level and iso-variables, one needs two typing con- 
texts. Typing judgments are therefore written respectively as A; Y F, t: a. The 
updated rules for (-,) are found in Table1. As the only possible free variables 
in isos are iso-variables, their typing judgments only need one context and are 
written as Y Fy w: T. 

The rules for typing derivations of isos are in Table 2. It is worthwhile men- 
tioning that isos are treated in a usual, non-linear way: this is the purpose of 
the typing context separation. The intuition is that an iso is the description of 
a closed computation with respect to inputs: remark that isos cannot accept 
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Table 1. Typing rules for terms and values 


0; VHs ():1 riat Fyowia 


AU Fotita A;Wryt:b Ai;WFyti:a AoW, ta:b 
A;W,inj,t:a@b A;Wt, inj, t:a@b Ay, 42; Y Fy (ti, t2):a@b 


Wrkuow:acbh AUF, t:a A;Wryti:a@b A,x:a,y:b;Vy tare 
A;Wrywt:b 4A; Y F, let (x,y) = tı inte:c 


Table 2. Typing rules for isos 


Ai;sWry visa... Am U Fitria ODa{v1,..., Un} 
Ai P Fyeiib ae An;sWFy en :b ODP {e1,.-., en} 
Wea { | vue | veez... }iacd. 


Wfracscbhww:T 
Why Afw:(acb) oT woofs Tbe fT 


WE, w:(aob) oT VE, w2:acb 
WE, wiw: T 


Y, f:a=bFo w: (a1 > bi) +--+ (an > bn) > (a > b) 
Lf.w terminates in any finite context 


Y Fo uf.w : (aio bi) >- > (an = bn) > (a = b) 


value-types. As computations, they can be erased or duplicated without issues. 
On the other hand, value-types still need to be treated linearly. 

In the typing rule for recursion, the condition “uf.w terminates in any finite 
context” formally refers to the following requirement. A well-typed fixpoint u f.w 
of type VW Fy uf.w : (a1 > bi) > +++ > (an © bn) > (a = b) is terminating 
in a O-contect if for all closed isos w; : a; +> b; not using fixpoints and for every 
closed value v of type a, the term ((wf.w)w1...w,)v terminates. We say that 
the fixpoint is terminating in an (n + 1)-contect if for all closed isos w; : a; +> bi 
terminating in n-contexts, and for every closed value v of type a, the term 
((uf.w)w1...W,)v terminates. Finally, we say that the fixpoint is terminating in 
any finitary context if for all n it is terminating in any n-context. 

With the addition of lists, the non-overlapping and exhaustivity conditions 
need to be modified. The main problem is that we can no longer define the 
dimension of types using natural numbers: [a] is in essence an infinite sum, and 
would have an “infinite” dimension. Instead, we combine the two conditions 
into the concept of orthogonal decomposition. Formally, given a type a, we say 
that a set S of patterns is an orthogonal decomposition, written OD,(S), when 
these patterns are pairwise orthogonal and when they cover the whole type. We 
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Table 3. Reduction rules 


ti > te alp] = 
-~ C 
Citi] — C [t2] ong let p = vı in t2 > o (t2) Terk 
olvi] = v 
IsoA HIsoA 
{J uct]... | mot puso) P| Afw)w2 > wlur/f] i 
V, f:acbkuw: (a1 > b1) >- > (an > bn) > (la b) 


pfa eltar fk Ree 


formally define OD,(S) as follows. For all types a, OD, {2} is valid. For the unit 
type, OD, {()} is valid. If OD,(S) and OD;(T), then 


ODaeo({inj, v |v € S}U {inj v | v € TH) 
and ODagb{ (v1, v2) | v E S, v2 ET, FV (v1) N FV (v2) = Oy, 


where FV (t) stands for the set of free value-variables in t. We then extend the 
notion of orthogonal decomposition to extended values as follows. If S is a set 
of extended values, ODE% (S) is true whenever ODa{Val(e) | e € S}. With this 
new characterization, the typing rule of iso in Eq. 1 still holds, and then can be 
re-written using this notion of orthogonal decomposition as shown in Table 2. 


3.2 Semantics 


In Table 3 we present the reduction rules for the reversible language. We assume 
that the reduction relation applies to well-typed terms. In the rules, the notation 
C|-] stands for an applicative context, and is defined as: C|-] ::= [—]| inj, C[-] | 
inj, CHII (Cl-Dw| {+} (CI) | tet p = CH in ta | (CH, v) | w, CIH). 

The inversion of isos is still possible but more subtle than in the first-order 
case. We define an inversion operation (—)~! on iso types with, (a @ b)~! := 
(b > a), ((a = b) 3 T)! := ((b > a) = (T~1)). Inversion of isos is defined as 
follows. For fixpoints, (uf.w)~! = wf.(w~1). For variables, (f)~! := f. For appli- 
cations, (w1 w2)~! := (wi)7! (we)7?. For abstraction, (Af.w)~! := Af.(w7!). 
Finally, clauses are inverted as follows: 


ti = lët pj = w1 pi in = vi — let p/, = wr Pn in 
let pn = Wn Ph in vi z let p| = wy pı in vy , 

Note that (—)~+ only inverts first-order arrows (>), not second-order arrows 
(—). This is reflected by the fact that iso-variable are non-linear while value- 
variables are. This is due to the clear separation of the two layers of the language. 

The rewriting system satisfies the usual properties for well-typed terms: it 
is terminating, well-typed closed terms have a unique normal value-form, and it 
preserves typing. 
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Theorem 1. The inversion operation is well-typed, in the sense that if fı : 
ay > by,..., fn : an S bn Fy w : T then we also have fy : bi > ay,..., fn: 
bn 8 On Ky wot: TH. 


Thanks to the fact that the language is terminating, we also recover the 
operational result of Sect. 2.3. 


Theorem 2. Consider a well-typed, closed iso Fy w:a< b, and suppose that 
+, v:a and that F, w : b, then w™H(w v) >* v and ww! w) 3* w. 


4 Examples 


In the previous sections, we developed a novel classical reversible language with 
a familiar syntax based on pattern-matching. The language includes a limited 
notion of higher-order functions and (terminating) recursive functions. We illus- 
trate the expressiveness of the language with a few examples and motivate the 
changes and extensions needed to adapt the language to the quantum domain. 

We encode booleans as follows: B = 1@1, tt = inj, (), and ff = inj, (). 
One of the easiest function to define is not : B + B which flips a boolean. The 
controlled-not gate which flips the second bit when the first is true can also be 
expressed: 


tt (ff, x) oO 
), enot :B@B > B@B= (tt, ff) = 
( tt) 


RaR 


ff 
tt tt 

t o ff ý 
tt tt 


, 


annan 


All the patterns in the previous two functions are orthogonal decompositions 
which guarantee reversibility as desired. 

By using the abstraction facilities in the language, we can define higher- 
order operations that build complex reversible functions from simpler ones. For 
example, we can define a conditional expression parameterized by the functions 
used in the two branches: 


if : (a > b) (a = b) (B&a«= B&b) 


or (t,x) = lety =g = in (tt, y) 
FES Ag Al (ff, x) lety =h z in (ff, y) 


Using if and the obvious definition for the identity function id, we can define 
ctrl: (a e a) — (B&a — B@a) as ctrl f = if f id and recover an 
alternative definition of cnot as ctrl not. We can then define the controlled- 
controlled-not gate (aka the Toffoli gate) by writing ctrl cnot. We can even 
iterate this construction using fixpoints to produce an n-controlled-not function 
that takes a list of n control bits and a target bit and flips the target bit iff all 
the control bits are tt: 
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cnotx : ([B] @ B) + ([B] $ B) 
({], tb) > let tb’ = not tb in ([], tb’) 
cnot* = uf. | (f£ : cbs, tb) © (ff : cbs, tb) 
(tt : cbs, tb) => let (cbs’, tb’) = f (cbs, tb) in (tt : cbs’, tb’) 


The language is also expressible enough to write conventional recursive (and 
higher-order) programs. We illustrate this expressiveness using the usual map 
operation and an accumulating variant mapAccu: 


mapAccu : (a & b = a Q c) — (a® [b] = a 8 [c]) 

1- (œ, [) = (2, [) l 

àg.uf.| h:t © letxv=ghin > Ag-Hf. (EARED TTR) 
lety=ftina:y 


map : (a + b) — ([a] = [b]) 


The three examples cnot*, map and mapAccu uses fixpoints which are clearly 
terminating in any finite context. Indeed, the functions are structurally recursive. 
A formal definition of this notion for the reversible language is as follows. 


V1 V2 U3 vı V2 UZ (tt, x) (ff, 2) 


$ rA 
vı/1 0 0 vı /a11 a12 a13 (tt, £) / Had -Id 
= 0 1 o) (ea a22 aas) (E, 1i van d a.) 
v3\0 0 1 vs \a31 432 433 TDN FAM Te 
Fig. 4. Classical iso Fig. 5. Quantum iso Fig. 6. Semantics of Gate 


Definition 1. Define a structurally recursive type as a type of the form [a] ® 
by @...@by. Let w = {v; > e; | i E€ I} be an iso such that f:acbr,w:acc 
where a is a structurally recursive type. We say that uf.w is structurally recursive 
provided that for each i € J, the value v; is either of the form ([],p1,...Pn) or 
of the form (h : t, pı,... Pn). In the former case, e; does not contain f as a free 
variable. In the latter case, e; is of the form C[f(t,p{,...,p/,)| where C is a 
context of the form C[—]::= [-] | letp=C[-] int | letp=t in C[-]. 


This definition will be critical for quantum loops in the next section. 


5 From Reversible Isos to Quantum Control 


In the language presented so far, an iso w : a +> b describes a bijection between 
the set Ba of closed values of type a and the set 6, of closed values of type b. If 
one regards 6, and B, as the basis elements of some vector space [a] and fb], 
the iso w becomes a 0/1 matrix. 

As an example, consider an iso w defined using three clauses of the form 
{ | vi = vi | v2 | vh | v3 = vs }. From the exhaustivity and non-overlapping 
conditions derives the fact that the space [a] can be split into the direct sum 
of the three subspaces [a],,, (i = 1,2,3) generated by v;. Similarly, [b] is split 
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into the direct sum of the subspaces [b], generated by vj. One can therefore 
represent w as the matrix |w] in Fig. 4: T he “1” in each column v; indicates to 
which subspace [b], an element of [a], is sent to. 
In Sect. 2.2 we discussed the fact that vilvj when i Æ j. This notation hints 
at the fact that [a] and [b] could be seen as Hilbert spaces and the mapping [w] 
as a unitary map from [a] to [b]. The purpose of this section is to extend and 
formalize precisely the correspondence between isos and unitary maps. 
The definition of clauses is extended following this idea of see- 
ing isos as unitaries, and not only bijections on basis elements of the 
input space. We therefore essentially propose to 
| vı aii} + a210 + asivy generalize the clauses to complex, linear combi- 
eee Mie Mince, | nations of values on the right-hand-side, such as 
shown on the left, with the side conditions on 
that the matrix of Fig. 5 is unitary. We define in Sect. 5.1 how this extends to 
second-order. 


+ $ 
| v3  a31v1 + a32v3 + 43303 


5.1 Extending the Language to Linear Combinations of Terms 


The quantum unitary language extends the reversible language from the previ- 
ous section by closing extended values and terms under complex, finite linear 
combinations. For example, if vı and v2 are values and a and 8 are complex 
numbers, & -vı + @- v2 is now an extended value. 

Several approaches exist for performing such an extension. One can update 
the reduction strategy to be able to reduce these sums and scalar multiplications 
to normal forms [12,18], or one can instead consider terms modulo the usual 
algebraic equalities [13,18]: this is the strategy we follow for this paper. 

When extending a language to linear combination of terms in a naive way, this 
added structure might generate inconsistencies in the presence of unconstrained 
fixpoints [12,13,18]. The weak condition on termination we imposed on fixpoints 
in the classical language was enough to guarantee reversibility. With the presence 
of linear combinations, we want the much stronger guarantee of unitarity. For 
this reason, we instead impose fixpoints to be structurally recursive. 

The quantum unitary language is defined by allowing sums of terms and 
values and multiplications by complex numbers: if t and ¢’ are terms, so is 
a-t+t’. Terms and values are taken modulo the equational theory of modules. 
We furthermore consider the value and term constructs (—,—), let p = — in -, 
inj, (—), inj,(—) distributive over sum and scalar multiplication. We do 
not however take iso-constructions as distributive over sum and scalar multi- 
plication: { | vı © avo + Pvz } is not the same thing as af{ | vı © vg } + 
B{ | vı © v3 }. This is in the spirit of Lineal [11,12]. 

The typing rules for terms and extended values are updated as follows. We 
only allow linear combinations of terms and values of the same type and of 
the same free variables. Fixpoints are now required to be structurally recursive, 
as introduced in Definition 1. Finally, an iso is now not only performing an 
“identity” as in Fig. 4 but a true unitary operation: 
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AU Fo via ... An; U ry Un ia @11 ~= Aln 
A1; Fy ei:b ... An; Y Fy en sb : : is unitary 
ext g ` 
ODa{v1,.--, Un} OD” {e1,..., en} üni- ünn 
Vi © Q11: E1 Ttt T Aln’ En 
WE, wes :a > b. 
Un © Ani + €1 eS Ann * En 


The reduction relation is updated in a way that it remains deterministic in 
this extended setting. It is split into two parts: the reduction of pure terms, i.e. 
non-extended terms or values, and linear combinations thereof. Pure terms and 
values reduce using the reduction rules found in Table3. We do not extend 
applicative contexts to linear combinations. For linear combinations of pure 
terms, we simply ask that all pure terms that are not normal forms in the com- 
bination are reduced. This makes the extended reduction relation deterministic. 


Example 1. This allows one to define an iso behaving as the Hadamard gate, or 
a slightly more complex iso conditionally applying another iso, whose behavior 
as a matrix is shown in Fig. 6. 


Had: BoB Gate: BE BS BSB 


tt vat + watt (tt, £) => lery= tdr ia 

ff e zt- -zf (ff,z) = lety =Idrin z(tt,y)— 
With this extension to linear combinations of terms, one can characterize 

normal forms as follows. 


Lemma 1 (Structure of the Normal Forms). Let w be such that Fu w : 
a <> b. For all closed values v of type a, the term wv rewrites to a normal form 
ae ai: wi where N < œ, each w; is a closed value of type b and X` |a;| = 1. 


Proof. The fact that wv converges to a normal form is a corollary of the fact 
that we impose structural recursion on fixpoints. The property of the structure 
of the normal form is then proven by induction on the maximal number of steps 
it takes to reach it. It uses the restriction on the introduction of sums in the 
typing rule for clauses in isos and the determinism of the reduction. 


In the classical setting, isos describe bijections between sets of closed val- 
ues: it was proven by considering the behavior of an iso against its inverse. In 
the presence of linear combinations of terms, we claim that isos describe more 
than bijections: they describe unitary maps. In the next section, we discuss how 
types can be understood as Hilbert spaces (Sect. 5.2) and isos as unitary maps 
(Sects. 5.3 and 5.4). 


5.2 Modeling Types as Hilbert Spaces 


By allowing complex linear combinations of terms, closed normal forms of finite 
types such as B or B & B can be regarded as complex vector spaces with basis 
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consisting of closed values. For example, B is associated with |B] = {a - tt + 8- 
ff | a, 3 € C} = C?. We can consider this space as a complex Hilbert space where 
the scalar product is defined on basis elements in the obvious way: (v|v) = 1 and 
(v|w) = 0 if v # w. The map Had of Example 1 is then effectively a unitary map 
on the space [B]. 

The problem comes from lists: the type [1] is inhabited by an infinite number 
of closed values: [], [0], 10, 0], 10, 0, Q],-.. To account for this case, we need to 
consider infinitely dimensional complex Hilbert spaces. In general, a complex 
Hilbert space [19] is a complex vector space endowed with a scalar product that 
is complete with respect the distance induced by the scalar product. The com- 
pleteness requirement implies for example that the infinite linear combination 
1+3-10]+F10,0)+ 810, 0, 0]+--- needs to be an element of [[B]]. To account 
for these limit elements, we propose to use the standard [19] Hilbert space 4? of 
infinite sequences. 


Definition 2. Let a be a value type. As before, we write B, for the set of closed 
values of type a, that is, Ba = {v | Fy v : a}. The span of a is defined as the 
Hilbert space [a] = (Ba) consisting of sequences (ġy)veg, of complex numbers 
indexed by Ba such that 57,25, |u|? < 00. The scalar product on this space is 


defined as ((bv) ve Bal(Wv) veBa) = eek. Poto. 


We shall use the following conventions. A closed value v of [a] is identified 
with the sequence (ôy v’ )v'eg, Where dy, = 1 and ĝy w = 0 if v Av’. An element 
(dv)veB, Of [a] is also written as the infinite, formal sum J` eg, bu ` v. 


5.3 Modeling Isos as Bounded Linear Maps 
We can now define what is the linear map associated to an iso. 


Definition 3. For each closed iso Fu w : a +> b we define [w] as the linear map 
from [a] to [b] sending the closed value v : a to the normal form of wv : b under 
the rewrite system. 


In general, the fact that |w] is well-defined is not trivial. If it is formally 
stated in Theorem 3, we can first try to understand what could go wrong. The 
problem comes from the fact that the space [a] is not finite in general. Consider 
the iso map Had : [B] © [B]. Any closed value v : [B] is a list and the term 
(map Had) v rewrites to a normal form consisting of a linear combination of lists. 
Denote the linear combination associated to v with L,. An element of [[B]] is 
a sequence $ = ($v)veB From Definition 3, the map fw] sends the element 
@ € [[B]] to ie oy: Lo. This is an infinite sum of sums of complex numbers: 
we need to make sure that it is well-defined: this is the purpose of the next 
result. Because of the constraints on the language, we can even show that it is 
a bounded linear map. 

In the case of the map map Had, we can understand why it works as follows. 
The space [[B]] can be decomposed as the direct sum $;< o Fi, where E; is 
generated with all the lists in B of size i. The map map Had is acting locally on 
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each finitely-dimensional subspace £;. It is therefore well-defined. Because of the 
unitarity constraint on the linear combinations appearing in Had, the operation 
performed by map Had sends elements of norm 1 to elements of norm 1. This idea 
can be formalized and yield the following theorem. 


Theorem 3. For each closed iso Fo w:a< b the linear map |w] : [a] — [b] és 
well-defined and bounded. 


5.4 Modeling Isos as Unitary Maps 


In this section, we show that not only closed isos can be modeled as bounded 
linear maps, but that these linear maps are in fact unitary maps. The problem 
comes from fixpoints. We first consider the case of isos written without fixpoints, 
and then the case with fixpoints. 


Without recursion. The case without recursion is relatively easy to treat, as the 
linear map modeling the iso can be compositionally constructed out of elemen- 
tary unitary maps. 


Theorem 4. Given a closed iso Fy w : a > b defined without the use of recur- 
sion, the linear map [x] : [a] — Jb] is unitary. 


The proof of the theorem relies on the fact that to each closed iso Fy w:a< b 
one can associate an operationally equivalent iso Hu w’ : a +> b that does not use 
iso-variables nor lambda-abstractions. We can define a notion of depth of an iso 
as the number of nested isos. The proof is done by induction on this depth of 
the iso w: it is possible to construct a unitary map for w using the unitary maps 
for each wij as elementary building blocks. 

As an illustration, the semantics of Gate of Example 1 is given in Fig. 6. 


Isos with structural recursion. When considering fixpoints, we cannot rely any- 
more on this finite compositional construction: the space [a] cannot anymore be 
regarded as a finite sum of subspaces described by each clause. 

We therefore need to rely on the formal definition of unitary maps in general, 
infinite Hilbert spaces. On top of being bounded linear, a map fw] : [a] — [b] 
is unitary if (1) it preserves the scalar product: ([w](e)|[w](f)) = (elf) for all e 
and f in [a] and (2) it is surjective. 


Theorem 5. Given a closed iso Fy w : a +> b that can use structural recursion, 
the linear map [x] : [a] — Jb] is unitary. 


The proof uses the idea highlighted in Sect. 5.4: for a structurally recursive 
iso of type [a] ® b © c, the Hilbert space [[a] & b] can be split into a canonical 
decomposition Eo @ E1 @ Fz @---, where FE; contains only the values of the form 
([z1... 2], y}, containing the lists of size i. On each F;, the iso is equivalent to 
an iso without structural recursion. 
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6 Conclusion 


In this paper, we proposed a reversible language amenable to quantum super- 
positions of values. The language features a weak form of higher-order that is 
nonetheless expressible enough to get interesting maps such as generalized Toffoli 
operators. We sketched how this language effectively encodes bijections in the 
classical case and unitary operations in the quantum case. It would be interesting 
to see how this relates to join inverse categories [14,15]. 

In the vectorial extension of the language we have the same control as in 
the classical, reversible language. Tests are captured by clauses, and naturally 
yield quantum tests: this is similar to what can be found in QML [5,6], yet more 
general since the QML approach is restricted to if-then-else constructs. The 
novel aspect of quantum control that we are able to capture here is a notion of 
quantum loops. These loops were believed to be hard, if not impossible. What 
makes it work in our approach is the fact that we are firmly within a closed 
quantum system, without measurements. This makes it possible to only consider 
unitary maps and frees us from the Lower order on positive matrices [6]. As we 
restrict fixpoints to structural recursion, valid isos are regular enough to capture 
unitarity. Ying [7] also proposes a framework for quantum while-loops that is 
similar in spirit to our approach at the level of denotations: in his approach the 
control part of the loops is modeled using an external systems of “coins” which, 
in our case, correspond to conventional lists. Reducing the manipulation of this 
external coin system to iteration on lists allowed us to give a simple operational 
semantics for the language. 
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Abstract. We study the never-worse relation (NWR) for Markov deci- 
sion processes with an infinite-horizon reachability objective. A state q 
is never worse than a state p if the maximal probability of reaching the 
target set of states from p is at most the same value from q, regardless 
of the probabilities labelling the transitions. Extremal-probability states, 
end components, and essential states are all special cases of the equiva- 
lence relation induced by the NWR. Using the NWR, states in the same 
equivalence class can be collapsed. Then, actions leading to sub-optimal 
states can be removed. We show that the natural decision problem asso- 
ciated to computing the NWR is cONP-complete. Finally, we extend 
a previously known incomplete polynomial-time iterative algorithm to 
under-approximate the NWR. 


1 Introduction 


Markov decision processes (MDPs) are a useful model for decision-making in the 
presence of a stochastic environment. They are used in several fields, including 
robotics, automated control, economics, manufacturing and in particular plan- 
ning [20], model-based reinforcement learning [22], and formal verification [1]. We 
elaborate on the use of MDPs and the need for graph-based reductions thereof 
in verification and reinforcement learning applications below. 

Several verification problems for MDPs reduce to reachability [1,5]. For 
instance, MDPs can be model checked against linear-time objectives (expressed 
in, say, LTL) by constructing an omega-automaton recognizing the set of runs 
that satisfy the objective and considering the product of the automaton with the 
original MDP [6]. In this product MDP, accepting end components—a general- 
ization of strongly connected components—are identified and selected as tar- 
get components. The question of maximizing the probability that the MDP 
behaviours satisfy the linear-time objective is thus reduced to maximizing the 
probability of reaching the target components. 

The maximal reachability probability is computable in polynomial time by 
reduction to linear programming [1,6]. In practice, however, most model checkers 
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use value iteration to compute this value [9,17]. The worst-case time complex- 
ity of value iteration is pseudo-polynomial. Hence, when implementing model 
checkers it is usual for a graph-based pre-processing step to remove as many 
unnecessary states and transitions as possible while preserving the maximal 
reachability probability. Well-known reductions include the identification of 
extremal-probability states and maximal end components [1,5]. The intended 
outcome of this pre-processing step is a reduced amount of transition probabil- 
ity values that need to be considered when computing the number of iterations 
required by value iteration. 

The main idea behind MDP reduction heuristics is to identify subsets of 
states from which the maximal probability of reaching the target set of states 
is the same. Such states are in fact redundant and can be “collapsed”. Figure 1 
depicts an MDP with actions and probabilities omitted for clarity. From p and 
q there are strategies to ensure that s is reached with probability 1. The same 
holds for t. For instance, from p, to get to t almost surely, one plays to go to 
the distribution directly below q; from q, to the distribution above q. Since from 
the state p, there is no strategy to ensure that q is reached with probability 1, 
p and q do not form an end component. In fact, to the best of our knowledge, 
no known MDP reduction heuristic captures this example (i.e., recognizes that 
p and q have the same maximal reachability probability for all possible values 
of the transition probabilities). 


ae i ae 
oo Co a M 


Fig. 1. An MDP with states depicted as circles and distributions as squares. The 
maximal reachability probability values from p and q are the same since, from both, 
one can enforce to reach s with probability 1, or t with probability 1, using different 
strategies. 


In reinforcement learning the actual probabilities labelling the transitions of 
an MDP are not assumed to be known in advance. Thus, they have to be esti- 
mated by experimenting with different actions in different states and collecting 
statistics about the observed outcomes [14]. In order for the statistics to be good 
approximations, the number of experiments has to be high enough. In particular, 
when the approximations are required to be probably approximately correct [23], 
the necessary and sufficient number of experiments is pseudo-polynomial [13]. 
Furthermore, the expected number of steps before reaching a particular state 
even once may already be exponential (even if all the probabilities are fixed). 
The fact that an excessive amount of experiments is required is a known draw- 
back of reinforcement learning [15,19]. 

A natural and key question to ask in this context is whether the maximal 
reachability probability does indeed depend on the actual value of the probability 
labelling a particular transition of the MDP. If this is not the case, then it need 
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not be learnt. One natural way to remove transition probabilities which do not 
affect the maximal reachability value is to apply model checking MDP reduction 
techniques. 


Contributions and Structure of the Paper. We view the directed graph underlying 
an MDP as a directed bipartite graph. Vertices in this graph are controlled by 
players Protagonist and Nature. Nature is only allowed to choose full-support 
probability distributions for each one of her vertices, thus instantiating an MDP 
from the graph; Protagonist has strategies just as he would in an MDP. Hence, 
we consider infinite families of MDPs with the same support. In the game played 
between Protagonist and Nature, and for vertices u and v, we are interested in 
knowing whether the maximal reachability probability from u is never (in any of 
the MDPs with the game as its underlying directed graph) worse than the same 
value from v. 

In Sect.2 we give the required definitions. We formalize the never-worse 
relation in Sect. 3. We also show that we can “collapse” sets of equivalent vertices 
with respect to the NWR (Theorem 1) and remove sub-optimal edges according 
to the NWR (Theorem 2). Finally, we also argue that the NWR generalizes 
most known heuristics to reduce MDP size before applying linear programming 
or value iteration. Then, in Sect.4 we give a graph-based characterization of 
the relation (Theorem 3), which in turn gives us a CONP upper bound on its 
complexity. A matching lower bound is presented in Sect.5 (Theorem 4). To 
conclude, we recall and extend an iterative algorithm to efficiently (in polynomial 
time) under-approximate the never-worse relation from [2]. 


Previous and Related Work. Reductions for MDP model checking were consid- 
ered in [5,7]. From the reductions studied in both papers, extremal-probability 
states, essential states, and end components are computable using only graph- 
based algorithms. In [3], learning-based techniques are proposed to obtain 
approximations of the maximal reachability probability in MDPs. Their algo- 
rithms, however, do rely on the actual probability values of the MDP. 

This work is also related to the widely studied model of interval MDPs, 
where the transition probabilities are given as intervals meant to model the 
uncertainty of the numerical values. Numberless MDPs [11] are a particular case 
of the latter in which values are only known to be zero or non-zero. In the 
context of numberless MDPs, a special case of the question we study can be 
simply rephrased as the comparison of the maximal reachability values of two 
given states. 

In [2] a preliminary version of the iterative algorithm we give in Sect.6 was 
described, implemented, and shown to be efficient in practice. Proposition 1 was 
first stated therein. In contrast with [2], we focus chiefly on characterizing the 
never-worse relation and determining its computational complexity. 
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2 Preliminaries 


We use set-theoretic notation to indicate whether a letter b € X occurs in a word 
a = ao ...ak E X*, i.e. b € aif and only if b= a; for some 0 < i < k. 

Consider a directed graph G = (V, E) and a vertex u € V. We write uE for 
the set of successors of u. That is to say, uE := {v € V | (u,v) € E}. We say 
that a path 7 = uo... up € V* in G visits a vertex v if v € m. We also say that 
m is a v-T path, for T C V, if ug = v and uk E T. 


2.1 Stochastic Models 


Let S be a finite set. We denote by D(S') the set of all (rational) probabilistic dis- 
tributions on S, i.e. the set of all functions f : S — Q>o such that X ses f(s) = 1. 
A probabilistic distribution f € D(S) has full support if f(s) > 0 for all s € S. 


Definition 1 (Markov chains). A Markov chain C is a tuple (Q, 8) where Q 
is a finite set of states and ô is a probabilistic transition function 6 : Q —> D(Q). 


A run of a Markov chain is a finite non-empty word o = po...Dn over Q. We 
say @ reaches q if q = p; for some 0 < i < n. The probability of the run is 
To<ien (pi, Di41)- 

Let T C Q be a set of states. The probability of (eventually) reaching T in 
C from qo, which will be denoted by PẸ [OT], is the measure of the runs of C 
that start at go and reach T. For convenience, let us first define the probability 
of staying in states from S C Q until T is reached’, written PẸ [S U T], as 1 if 
qo € T and otherwise 


5 II Ô(qi,qi+1) | Go---Qn E (S\ TYT forn>1 


O<i<n 


We then define PY [OT] := PP [Q U T]. 
When all runs from qo to T reach some set U C Q before, the probability of 
reaching T can be decomposed into a finite sum as in the lemma below. 


Lemma 1. Consider a Markov chain C = (Q, ô), sets of states U,T C Q, and 
a state qo E Q\U. If PP [(Q\U) UT] =0, then 
PP [OT] = J PP [(Q\ U) U ul PHOT]. 
u€U 


Definition 2 (Markov decision processes). A (finite, discrete-time) Markov 
decision process M, MDP for short, is a tuple (Q,A,6,T) where Q is a finite set 
of states, A a finite set of actions, 6: Q x A — D(Q) a probabilistic transition 
function, and T C Q a set of target states. 


For convenience, we write 6(q|p, a) instead of 6(p, a)(q). 


1 SUT should be read as “S until T” and not understood as a set union. 
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Definition 3 (Strategies). A (memoryless deterministic) strategy o in an 
MDP M = (Q, A,ô,T) is a function o : Q > A. 


Note that we have deliberately defined only memoryless deterministic strate- 
gies. This is at no loss of generality since, in this work, we focus on maximizing 
the probability of reaching a set of states. It is known that for this type of 
objective, memoryless deterministic strategies suffice [18]. 


From MDPs to Chains. An MDP M = (Q, A, ô, T) and a strategy o induce the 
Markov chain M” = (Q, u) where u(q) = ô(q,o(q)) for all q E Q. 


Fig. 2. On the left we have an MDP with actions {a,b}. On the right we have the 
Markov chain induced by the left MDP and the strategy {p > a,q => b}. 


Example 1. Figure 2 depicts an MDP on the left. Circles represent states; double- 
circles, target states; and squares, distributions. The labels on arrows from states 
to distributions are actions; those on arrows from distributions to states, prob- 
abilities. 

Consider the strategy o that plays from p the action a and from q the action 
b, i.e. o(p) = a and o(q) = b. The Markov chain on the right is the chain induced 
by o and the MDP on the left. Note that we no longer have action labels. 

The probability of reaching a target state from q under ø is easily seen to 
be 3/4. In other words, if we write M for the MDP and T for the set of target 
states then P4,. [OT] = 3. 


2.2 Reachability Games Against Nature 


We will speak about families of MDPs whose probabilistic transition functions 
have the same support. To do so, we abstract away the probabilities and focus 
on a game played on a graph. That is, given an MDP M = (Q,A,0,T) we 
consider its underlying directed graph Gm = (V, E) where V := QU (Q x A) and 
E := {(4,(q,4)) € Q x (Q x A)} U {((p, a), @) | O(g|p,@) > 0}. In Gm, Nature 
controls the vertices Q x A. We formalize the game and the arena it is played 
on below. 


Definition 4 (Target arena). A target arena A is a tuple (V, Vp, E,T) such 
that (Vp, Vn := V\Vp, E) is a bipartite directed graph, T C Vp is a set of target 
vertices, and uE # Ø for all u € Vy. 


Informally, there are two agents in a target arena: Nature, who controls the 
vertices in Vy, and Protagonist, who controls the vertices in Vp. 


372 S. Le Roux and G. A. Pérez 


From Arenas to MDPs. A target arena A = (V, Vp, E,T) together with a family 
of probability distributions u = (Hu E€ D(wE))uev, induce an MDP. Formally, 
let A, be the MDP (Q, A, ô, T) where Q = Vp w {L}, A= Vy, 5(q|p, a) is palq) 
if (p,a), (a,q) € E and 0 otherwise, for all p € Vp U {L} and a € A we have 
ô(L|p,a) = 1 if (p,a) Z E. 


The Value of a Vertex. Consider a target arena A = (V, Vp, E, T) and a vertex 
v € Vp. We define its (maximal reachability probability) value with respect to 
a family of full-support probability distributions u as Val“ (v):= max, P4.[OT]. 
For u € Vy we set Val” (u) := X` {uu (v)Val” (v) | v € uE}. " 


3 The Never-Worse Relation 
We are now in a position to define the relation that we study in this work. Let 
us fix a target arena A = (V, Vp, E, T). 


Definition 5 (The never-worse relation (NWR)). A subset W C V of 
vertices is never worse than a vertex v E€ V, written v I W, if and only if 


Vu = (Hu € D(uE)Juevy, dw € W : Val” (v) < Val” (w) 
where all the Hu have full support. We write v ~ w ifv <3 {w} and w < {v}. 


It should be clear from the definition that ~ is an equivalence relation. For u € V 
let us denote by u the set of vertices that are ~-equivalent and belong to the 
same owner, i.e. Ŭŭ is {v € Vp | v ~ u} if u € Vp and {v € Vy | v ~ u} otherwise. 


LP cé ae 


© Ome 


Fig. 3. Two target arenas with T = {fin} are shown. Round vertices are elements from 
Vp; square vertices, from Vy. In the left target arena we have that p < {q} and q < {p} 
since any path from either vertex visits t before T—see Lemma 1. In the right target 
arena we have that t < {p}—-see Proposition 1. 


Example 2. Consider the left target arena depicted in Fig. 3. Using Lemma 1, it 
is easy to show that neither p nor q is ever worse than the other since t is visited 
before fin by all paths starting from p or q. 


The literature contains various heuristics which consist in computing sets of 
states and “collapsing” them to reduce the size of the MDP without affecting the 
maximal reachability probability of the remaining states. We now show that we 
can collapse equivalence classes and, further, remove sub-optimal distributions 
using the NWR. 
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3.1 The Usefulness of the NWR 


We will now formalize the idea of “collapsing” equivalent vertices with respect 
to the NWR. For convenience, we will also remove self-loops while doing so. 

Consider a target arena A = (V, Vp, E,T). We denote by A;n its ~-quotient. 
That is, A;n is the target arena (S,Sp,R,U) where Sp = {0 | 3w € Vp}, 
S = {0 | w € Vy} U Sp, U = {t | 3t € T}, and 


(u,v) € (VP x Vn) QE: vE\ ZØ} 
(u,v) € (Vn x Vp) N E}. 


For a family u = (Hu € D(uE))ucvy of full-support distributions we denote by 
Hj~ the family v = (va € D(ŭR))ūcsy defined as follows. For all u € Sy and all 
Ŭŭ € UR we have va(ŭ) = J uez Kulw), where u is any element of ù. 

The following property of the ~-quotient follows from the fact that all the 
vertices in 0 have the same maximal probability of reaching the target vertices. 


Theorem 1. Consider a target arena A = (V,Vp,E,T). For all families u = 
(uu E€ D(uE))uevy of full-support probability distributions and all v € Vp we 
have 


max P'4e [QT] = max Pe [OU], 


where B= Ajn, V = yn, and U = {t| 3t € T}. 


We can further remove edges that lead to sub-optimal Nature vertices. 
When this is done after ~-quotienting the maximal reachability probabilities are 
preserved. 


Theorem 2. Consider a target arena A = (V, Vp, E,T) such that Ajn = A. 
For all families w = (Hu € D(UE))uevy of full-support probability distributions, 
for all (w,x) € EN (Vp x Vy) such that xd (wE \ {x}), and all v € Vp we have 


max Phs [OT] = max Po [OT], 


where B = (V, Vp, E \ {(w, x)}, T). 


3.2 Known Efficiently-Computable Special Cases 


We now recall the definitions of the set of extremal-probability states, end com- 
ponents, and essential states. Then, we observe that for all these sets of states 
their maximal probability reachability coincide and their definitions are inde- 
pendent of the probabilities labelling the transitions of the MDP. Hence, they 
are subsets of the set of the equivalence classes induced by ~. 
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Extremal-Probability States. The set of extremal-probability states of an 
MDP M = (Q,4,06,T) consists of the set of states with maximal probability 
reachability 0 and 1. Both sets can be computed in polynomial time [1,4]. We give 
below a game-based definition of both sets inspired by the classical polynomial- 
time algorithm to compute them (see, e.g., [1]). Let us fix a target arena A = 
(V, Vp, E,T) for the sequel. 

For a set T C V, let us write Zr := {v € V |T is not reachable from v}. 


(Almost-Surely Winning) Strategies. A strategy for Protagonist in a target arena 
is a function 0 : Vp — Vy. We then say that a path vo...Un E€ V* is consistent 
with o if vi E€ Vp = > o(vi) = vi41 for all 0 < i < n. Let Reach(vo, o) 
denote the set of vertices reachable from vo under øg, i.e. Reach(vo, o) := {vx | 
Vo... Uk is a path consistent with o}. 

We say that a strategy o for Protagonist is almost-surely winning from uo E€ V 
to T C Vp if, after modifying the arena to make all t € T into sinks, for all 
vo E€ Reach(uo, 7) we have Reach(vo, 7) NT # Ø. We denote the set of all such 
strategies by Win,?. 

The following properties regarding almost-surely winning strategies in a tar- 
get arena follow from the correctness of the graph-based algorithm used to com- 
pute extremal-probability states in an MDP [1, Lemma 10.108]. 


Lemma 2 (From [1]). Consider a target arena A = (V, Vp, E,T). For all fam- 
ilies u = (fu E€ D(uE))uevy of full-support probability distributions, for all 
v € Vp the following hold. 


(i) max, Phe [OT] =0 4 veZr 
(ii) Yo : o € Wing 4> Pg [OT] =1 


End Components. Let us consider an MDP M = (Q,A,06,T). A set SC Q 
of states is an end component in M if for all pairs of states p,q € S there exists 
a strategy o such that Pgo [S U q] =1. 


Example 3. Let us consider the MDP shown on the left in Fig. 2. The set {p,q} 
is an end component since, by playing a from both states, one can ensure to 
reach either state from the other with probability 1. 


It follows immediately from the definition of end component that the maximal 
probability of reaching T from states in the same end component is the same. 


Lemma 3. Let S C Q be an end component in M. For all p,q E€ S we have 
that max, Phy. [OT] = max, Phy. [OT]. 


We say an end component is mazimal if it is maximal with respect to set inclu- 
sion. Furthermore, from the definition of end components in MDPs and Lemma 2 
it follows that we can lift the notion of end component to target arenas. More pre- 
cisely, a set S C Vp is an end component in A if and only if for some family of 
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full-support probability distributions u we have that S is an end component in A, 
(if and only if for all yu’ the set S is an end component in A, ). 

The set of all maximal end components of a target arena can be computed in 
polynomial time using an algorithm based on the strongly connected components 
of the graph [1,8]. 


Essential States. Consider a target arena A = (V, Vp, E,T) and let E be the 
smallest relation satisfying the following. For all u € Vp we have u E u. For all 
uo, v € Vp \ Zr such that up Æ v we have uo E v if for all paths ugui uz we have 
that u2 C v and there is at least one such path. Intuitively, u E v holds whenever 
all paths starting from u reach v. In [7], the maximal vertices according to E are 
called essential states”. 


Lemma 4 (From [7]). Consider a target arena A = (V, Vp, E,T). For all fam- 
ilies u = (u E€ D(uE))uevy of full-support probability distributions, for all v € 
Vp and all essential states w, if v E w then max, P'he [OT] = maxo Pho [OT]. 


Note that, in the left arena in Fig. 3, p E t does not hold since there is a cycle 
between p and q which does not visit t. 
It was also shown in [7] that the E relation is computable in polynomial time. 


4 Graph-Based Characterization of the NWR 


In this section we give a characterization of the NWR that is reminiscent of the 
topological-based value iteration proposed in [5]. The main intuition behind our 
characterization is as follows. If v < W does not hold, then for allO <e <1 
there is some family u of full-support distributions such that Val” (v) is at least 
1 — €, while Val” (w) is at most € for all w € W. In turn, this must mean that 
there is a path from v to T which can be assigned a high probability by u while, 
from W, all paths go with high probability to Zr. 

We capture the idea of separating a “good” v-T path from all paths starting 
from W by using partitioning of V into layers S; C V. Intuitively, we would like 
it to be easy to construct a family u of probability distributions such that from 
all vertices in 5;41 all paths going to vertices outside of 5;41 end up, with high 
probability, in lower layers, i.e. some Sp with k < i. A formal definition follows. 


Definition 6 (Drift partition and vertices). Consider a target arena A = 
(V, Vp, E,T) and a partition (Si)o<i<k of V. For all0 < i < k, let SF = Ui<j Sj 
and S; := Uj<iSj, and let D; := {v E€ SiON Vw | VEN S; # Ø}. We define the 
set D := Uo<i<ckDi of drift vertices. The partition is called a drift partition if 
the following hold. 


— For alli < k and all v € Si O Vp we have vE N SF = Ø. 
— For alli < k and all v € Si O Vn we have vE N ST £ Ø = veD. 


? This is not the usual notion of essential states from classical Markov chain theory. 
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Using drift partitions, we can now formalize our characterization of the nega- 
tion of the NWR. 


Theorem 3. Consider a target arena A = (V,Vp,E,T), a non-empty set of 
vertices W C V, and a vertex v € V. The following are equivalent 


(i) nwa W) 
(ii) There exists a drift partition (Si)o<i<k and a simple path 7 starting in v 
and ending in T such that n C Sk and W C S}. 


Before proving Theorem 3 we need an additional definition and two interme- 
diate results. 


Definition 7 (Value-monotone paths). Let A = (V,Vp,E,T) be a target 
arena and consider a family of full-support probability distributions u = (Hu € 
D(uE))ucvy. A path vo...Upg is p-non-increasing if and only if Val” (vi+1) < 
Val” (v;i) for all O < i < k; it is u-non-decreasing if and only if Val” (vi) < 
Val” (vj41) for al O0 < i< k. 


It can be shown that from any path in a target arena ending in T one can obtain 
a simple non-decreasing one. 


Lemma 5. Consider a target arena A = (V,Vp,E,T) and a family of full- 
support probability distributions u = (pu € D(uE))uevy. If there is a path from 
some v E V toT, there is also a simple u-non-decreasing one. 


Additionally, we will make use of the following properties regarding vertex- 
values. They formalize the relation between the value of a vertex, its owner, and 
the values of its successors. 


Lemma 6. Consider a target arena A = (V,Vp,E,T) and a family of full- 
support probability distributions u = (Hu € D(uE))uevy- 


(i) For all u € Vp, for all successors v € uE it holds that Val” (v) < Val” (u). 
(ii) For all u € Vy it holds that 


os 


du € uE : Val“ (u) < Val” (v)) => (Aw € uE : Val” (w) < Val” (u)). 


Proof (of Theorem 3). Recall that, by definition, (i) holds if and only if there 
exists a family u = (Hu € D(uE))ucyvy of full-support probability distributions 
such that Vw € W : Val” (w) < Val” (v). 

Let us prove (i) ==> (ii). Let £o < xı <... be the finitely many (i.e. at most 
|V|) values that occur in the MDP A,, and let k be such that Val” (v) = xp. For 
allO0<i<klet Sı := {u € V | Val” (u) = xi}, and let Sp := V \ Ui<ck Si. Let us 
show below that the S; form a drift partition. 


- Vi < k,Yu € Si N Sp : uE N S7 = Ø by Lemma 6(i) (for i < k) and since 
S =ø. 

- Vi < k,Yu € SiN Sy : uE N SF # Ø => 2x ED by Lemma 6(ii) (for i < k) 
and since S$ = Ø. 
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We have that Val” (w) < Val“(v) = a, for all w € W, by assumption, so 
W CS, by construction. By Lemma 5 there exists a simple p-non-decreasing 
path 7 from v to T, so all the vertices occurring in 7 have values at least Val” (v), 
so m C Sk. 

We will prove (ii) ==> (i) by defining some full-support distribution family 
u. The definition will be partial only, first on m N Vy, and then on the drift 
vertices in V \ Sk. Let 0 < € < 1, which is meant to be small enough. Let us 
write 7 = Vo...Un SO that vo = v and v, € T. Let us define u on 7M Vyn as 
follows: for all i < n, if v; € Vy let 4v; (vi+1) := 1 — £e. Let o be an arbitrary 
Protagonist strategy such that for all i < n, if v; E€ Vp then o(uj) := vi41. 
Therefore 


(= a)l < (1 — e)” since 7 is simple 
< II fy, (Vidi) by definition of u 
i<n,vieSn 
< PY, [OT] 
< max Pho OT] = Val” (v). (1) 
So, for 0 < € < 1 — Wye we have } < (1—e)!”! < Val(v). Below we will 


further define p such that Val” (w) < 1—(1—e)!”! < $ for all w € W and all 
O<e<1l—- Wy which will prove (ii) => (i). However, the last part of the 
proof is more difficult. 

For alll <i < k, for all drift vertices u € Sj, let o(u) be a successor of uin S}. 
Such a o(u) exists by definition of the drift vertices. Then let pu(o(u)) := 1 — €. 
We then claim that 


Vue D:(1—e)(1 PAs [OT]) <1 —P%, [OT]. (2) 


Indeed, 1 — Po [OT] is the probability that, starting at u and following ø, T is 
never reached; and (1 — €)(1 — pau ) [OT]) is the probability that, starting at u 
and following o, the second vertex is ọ(u) and T is never reached. 


Now let o be an arbitrary strategy, and let us prove the following by induction 
on j. 


VO < j < k, Yw € Sj U S7 : Phe[OT] < 1- (1-8) 


Base case, j = 0: by assumption W is non-empty and included in S% , so 
0 < k. Also by assumption T C Sk, so T AN So = Ø. By definition of a drift 
partition, there are no edges going out of So, regardless of whether the starting 
vertex is in Vp or Vy. So there is no path from w to T, which implies Val” (w) = 0 
for all w € So, and the claim holds for the base case. Inductive case, let w € S}, 
let D' := DN(S;US;) and let us argue that every path m from w to T must at 
some point leave Sj US; to reach a vertex with higher index, i.e. there is some 
edge (Ti, 7i+1) from m; E Sj US; to some mi41 E Se with j < £. By definition 
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of a drift partition, 7; must also be a drift vertex, i.e. 7; € D’. Thus, if we let 
F := Vp \ D’, Lemma 1 implies that Pie [OT] = Doyen: PYe [F U u] PY. [OT]. 
Now, since 


D Pug lO7] 
uEeD’ 

= 5 Pg [OT] + 5 Pg [OT] by splitting the sum 
uE DNS; ue Dj 

< SS Palorl+ So a-a- ea -rE OT) by (2) 
uE DNS; ue Dj 

< So (-(1-e€)}7t)+ by IH and since 
ue DNS, 
X (l= (1-e)(1-€)771) Va € Dj : o(x) € S7 
uEDj 

<X 0-(-e)) (1 =e) < (1 -— e) 
ue D! 


and Ñep PY. [F U u] < 1, we have that P4.[0T] < 1—(1—e)’. The induction 
is thus complete. Since ø is arbitrary in the calculations above, and since 7 < 
k < |V], we find that Val“(w) <1—(1—.e)!”! for al w € W C SZ. 

For 0 <e<1- va we have } < (1 — e)|Vl, as mentioned after (1), so 


2 
Val” (w) <1—(1—e)IVl < å. 


5 Intractability of the NWR 


It follows from Theorem 3 that we can decide whether a vertex is sometimes 
worse than a set of vertices by guessing a partition of the vertices and verifying 
that it is a drift partition. The verification can clearly be done in polynomial 
time. 


Corollary 1. Given a target arena A = (V, Vp, E, T), a non-empty set W C V, 
and a vertex v E€ V, determining whether v a W is decidable and in CONP. 


We will now show that the problem is in fact CONP-complete already for 
Markov chains. 


Theorem 4. Given a target arena A = (V, Vp, E,T), a non-empty vertex set 
W C V, and a vertex v € V, determining whether v  W is CONP-complete 
even if |uE| = 1 for allu € Vp. 


The idea is to reduce the 2-DISJOINT PATHS PROBLEM (2DP) to the existence 
of a drift partition witnessing that v < {w} does not hold, for some v € V. 
Recall that 2DP asks, given a directed graph G = (V, E) and vertex pairs 


The Complexity of Graph-Based Reductions for Reachability 379 


(s1,t1), (S2,t2) E€ V x V, whether there exists an sı—tı path mı and an s2-tg 
path 72 such that mı and mz are vertex disjoint, i.e. mı N T2 = Ø. The problem 
is known to be NP-complete [10,12]. In the sequel, we assume without loss of 
generality that (a) tı and t2 are reachable from all s € V \ {t1, t2}; and (b) tı 
and tg are the only sinks G. 


Proof (of Theorem 4). From the 2DP input instance, we construct the target 
arena A = (S, Sp, R,T) with S := V U E, R:= { (u, (u,v)), ((u,v),v) E Sx S | 
(u,v) € Eor u=v E {t1,t2}}, Sp := V x V, and T := {(t1,t1)}. We will show 
there are vertex-disjoint sı—tı and s2—t2 paths in G if and only if there is a drift 
partition (S;)o<i<k and a simple s;-t; path m such that m C Sk and s2 E€ S. 
The result will then follow from Theorem 3. 

Suppose we have a drift partition (5;)o<i<x with s2 € S, and a simple path 
T = VoVo, V1)... (Un—1; Un) Un With vo = $1, Un = ty. Since the set {t2, (t2, t2)} is 
trapping in A, i.e. all paths from vertices in the set visit only vertices from it, 
we can assume that So = {t2, (t2, t2)}. (Indeed, for any drift partition, one can 
obtain a new drift partition by moving any trapping set to a new lowest layer.) 
Now, using the assumption that tz is reachable from all s € V \ {t1, t2} one can 
show by induction that for all 0 < j < k and for all ọ = uo € S; there is a path 
Ug.--Um in G with um = te and o C Spi: This implies that there is a sə-tə 
path m2 in G such that m2 C S}. It follows that 72 is vertex disjoint with the 
sı—tı path vo... Un in G. 

Now, let us suppose that we have sı—tı and s2-t2 vertex disjoint paths mı = 
Uo... Un and T2 = vo...Um. Clearly, we can assume both 71,72 are simple. 
We will construct a partition (Si)o<i<m+1 and show that it is indeed a drift 
partition, that uo(uo, U1)... (Un—1, Un)Un E Sm41, and s2 = vo E€ S),,4. Let us 
set So := {(Um—1, Um), Um; (t2, ta) }, Si = {(Um—i-1, Um—i), Um—i} for all 0 < i < 
m, and Sm+1 := S \ Uo<i<m Si. Since T2 is simple, (5;)o<i<m41 is a partition of 
V. Furthermore, we have that s2 = vo € Sj,,1, and uo (uo, ur)... (Un—1, Un) Un C 
Sm+1 Since 7 and mz are vertex disjoint. Thus, it only remains for us to argue 
that for all 0 < i < m-+1: for all w € S; N Sy we have wRN S = Ø, and for all 
w € SiN Vy we have wRN SF ASD => wRN S7 #2. By construction of the 
Si, we have that eR C S; for all 0 < i < m and all e € S; O Sp. Furthermore, 
for all 0 < i < m, for all x € Si N Sy = {vm_;}, there exists y E€ Si—1 N Sp = 
{(Um—i; Um—i+1)} such that (x,y) € R—induced by (Um—i, Um-1+1) € E from 
mq. To conclude, we observe that since So = {(Um—1,Um),;Um = ta, (t2, t2)} and 
{t2, (t2, t2) } is trapping in A, the set t2R is contained in Spo. 


6 Efficiently Under-Approximating the NWR 


Although the full NWR cannot be efficiently computed for a given MDP, we can 
hope for “under-approximations” that are accurate and efficiently computable. 


Definition 8 (Under-approximation of the NWR). Let A = (V, Vp, E,T) 
be a target arena and consider a relation < : V x P(V). The relation < is an 
under-approximation of the NWR if and only if XC <. 
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We denote by <* the pseudo transitive closure of x. That is, <* is the smallest 
relation such that <C<* and for all u € V,X C V if there exists W C V such 
that u <* W and w <* X for all w € W, then u <* X. 


Remark 1. The empty set is an under-approximation of the NWR. For all under- 
approximations < of the NWR, the pseudo transitive closure <* of < is also an 
under-approximation of the NWR. 


In [2], efficiently-decidable sufficient conditions for the NWR were given. In 
particular, those conditions suffice to infer relations such as those in the right 
MDP from Fig.3. We recall (Proposition 1) and extend (Proposition 2) these 
conditions below. 


Proposition 1 (From [2]). Consider a target arena A = (V, Vp, E,T) and an 
under-approzimation < of the NWR. For all vertices vo € V, and sets W C V 
the following hold. 


(i) If there exists S C {s E€ V | s < W} such that there exists no path vo ...Un E 
(V \ SYT, then vo AW. 

(ii) If W = {w} and there exists S C {s € Vp | w < {s}} such that Wingy 
Ø, then w < {vo}. 


Proof (Sketch). The main idea of the proof of item (i) is to note that S is 
visited before T. The desired result then follows from Lemma 1. For item (ii), 
we intuitively have that there is a strategy to visit T with some probability or 
visit W, where the chances of visiting T are worse than before. We then show 
that it is never worse to start from vo to have better odds of visiting T. 


The above “rules” give an iterative algorithm to obtain increasingly bet- 
ter under-approximations of the NWR: from <; apply the rules and obtain a 
new under-approximation <;;1 by adding the new pairs and taking the pseudo 
transitive closure; then repeat until convergence. Using the special cases from 
Sect. 3.2 we can obtain a nontrivial initial under-approximation <o of the NWR 
in polynomial time. 

The main problem is how to avoid testing all subsets W C V in every iter- 
ation. One natural way to ensure we do not consider all subsets of vertices in 
every iteration is to apply the rules from Proposition 1 only on the successors of 
Protagonist vertices. 

In the same spirit of the iterative algorithm described above, we now give 
two new rules to infer NWR pairs. 


Proposition 2. Consider a target arena A = (V,Vp,E,T) and < an under- 
approximation of the NWR. 


(i) For all u € Vy, if for allv,w E€ uE we have v < {w} and w < {v}, then 
u~ zg forallx EuE. 

(i) For all u,v € Vp \T, if for all w € uE such that w < (uE \ {w}) does not 
hold we have that w < vE, then u < {v}. 
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Proof (Sketch). Item (i) follows immediately from the definition of Val. For 
item (ii) one can use the Bellman optimality equations for infinite-horizon reach- 
ability in MDPs to show that since the successors of v are never worse than the 
non-dominated successors of u, we must have u < {v}. 


Ce os ae 


Fig. 4. Two target arenas with T = {fin} are shown. Using Propositions 1 and 2 one 
can conclude that p ~ q in both target arenas. 


The rules stated in Proposition 2 can be used to infer relations like those 
depicted in Fig.4 and are clearly seen to be computable in polynomial time as 
they speak only of successors of vertices. 


7 Conclusions 


We have shown that the never-worse relation is, unfortunately, not computable in 
polynomial time. On the bright side, we have extended the iterative polynomial- 
time algorithm from [2] to under-approximate the relation. In that paper, a 
prototype implementation of the algorithm was used to empirically show that 
interesting MDPs (from the set of benchmarks included in PRISM [17]) can be 
drastically reduced. 

As future work, we believe it would be interesting to implement an exact 
algorithm to compute the NWR using SMT solvers. Symbolic implementations 
of the iterative algorithms should also be tested in practice. In a more theoretical 
direction, we observe that the planning community has also studied maximizing 
the probability of reaching a target set of states under the name of MAXPROB 
(see, e.g., [16,21]). There, online approximations of the NWR would make more 
sense than the under-approximation we have proposed here. Finally, one could 
define a notion of never-worse for finite-horizon or quantitative objectives. 
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Abstract. Stochastic automata are a formal compositional model for 
concurrent stochastic timed systems, with general distributions and non- 
deterministic choices. Measures of interest are defined over schedulers 
that resolve the nondeterminism. In this paper we investigate the power 
of various theoretically and practically motivated classes of schedulers, 
considering the classic complete-information view and a restriction to 
non-prophetic schedulers. We prove a hierarchy of scheduler classes w.r.t. 
unbounded probabilistic reachability. We find that, unlike Markovian for- 
malisms, stochastic automata distinguish most classes even in this basic 
setting. Verification and strategy synthesis methods thus face a tradeoff 
between powerful and efficient classes. Using lightweight scheduler sam- 
pling, we explore this tradeoff and demonstrate the concept of a useful 
approximative verification technique for stochastic automata. 


1 Introduction 


The need to analyse continuous-time stochastic models arises in many practical 
contexts, including critical infrastructures [4], railway engineering [36], space mis- 
sion planning [7], and security [28]. This has led to a number of discrete event sim- 
ulation tools, such as those for networking [34, 35,42], whose probabilistic seman- 
tics is founded on generalised semi-Markov processes (GSMP [21,33]). Nonde- 
terminism arises through inherent concurrency of independent processes [11], 
but may also be deliberate underspecification. Modelling such uncertainty with 
probability is convenient for simulation, but not always adequate [3,29]. Vari- 
ous models and formalisms have thus been proposed to extend continuous-time 
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stochastic processes with nondeterminism [8, 10,19, 23,27,38]. It is then possible 
to verify such systems by considering the extremal probabilities of a property. 
These are the supremum and infimum of the probabilities of the property in the 
purely stochastic systems induced by classes of schedulers (also called strategies, 
policies or adversaries) that resolve all nondeterminism. If the nondeterminism 
is considered controllable, one may alternatively be interested in the planning 
problem of synthesising a scheduler that satisfies certain probability bounds. 

We consider closed systems of stochastic automata (SA [16]), which extend 
GSMP and feature both generally distributed stochastic delays as well as discrete 
nondeterministic choices. The latter may arise from non-continuous distributions 
(e.g. deterministic delays), urgent edges, and edges waiting on multiple clocks. 
Numerical verification algorithms exist for very limited subclasses of SA only: 
Buchholz et al. [13] restrict to phase-type or matrix-exponential distributions, 
such that nondeterminism cannot arise (as each edge is guarded by a single 
clock). Bryans et al. [12] propose two algorithms that require an a priori fixed 
scheduler, continuous bounded distributions, and that all active clocks be reset 
when a location is entered. The latter forces regeneration on every edge, making 
it impossible to use clocks as memory between locations. Regeneration is central 
to the work of Ballarini et al. [6], however they again exclude nondeterminism. 
The only approach that handles nondeterminism is the region-based approxima- 
tion scheme of Kwiatkowska et al. [30] for a model closely related to SA, but 
restricted to bounded continuous distributions. Without that restriction [22], 
error bounds and convergence guarantees are lost. 

Evidently, the combination of nondeterminism and continuous probability 
distributions is a particularly challenging one. With this paper, we take on the 
underlying problem from a fundamental perspective: we investigate the power of, 
and relationships between, different classes of schedulers for SA. Our motivation 
is, on the one hand, that a clear understanding of scheduler classes is crucial 
to design verification algorithms. For example, Markov decision process (MDP) 
model checking works well because memoryless schedulers suffice for reachabil- 
ity, and the efficient time-bounded analysis of continuous-time MDP (CTMDP) 
exploits a relationship between two scheduler classes that are sufficiently simple, 
but on their own do not realise the desired extremal probabilities [14]. When it 
comes to planning problems, on the other hand, practitioners desire simple solu- 
tions, i.e. schedulers that need little information and limited memory, so as to be 
explainable and suitable for implementation on e.g. resource-constrained embed- 
ded systems. Understanding the capabilities of scheduler classes helps decide on 
the tradeoff between simplicity and the ability to attain optimal results. 

We use two perspectives on schedulers from the literature: the classic 
complete-information residual lifetimes semantics [9], where optimality is defined 
via history-dependent schedulers that see the entire current state, and non- 
prophetic schedulers [25] that cannot observe the timing of future events. Within 
each perspective, we define classes of schedulers whose views of the state and 
history are variously restricted (Sect.3). We prove their relative ordering w.r.t. 
achieving optimal reachability probabilities (Sect. 4). We find that SA distin- 
guish most classes. In particular, memoryless schedulers suffice in the complete- 
information setting (as is implicit in the method of Kwiatkowska et al. [30]), but 
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turn out to be suboptimal in the more realistic non-prophetic case. Consider- 
ing only the relative order of clock expiration times, as suggested by the first 
algorithm of Bryans et al. [12], surprisingly leads to partly suboptimal, partly 
incomparable classes. Our distinguishing SA are small and employ a common 
nondeterministic gadget. They precisely pinpoint the crucial differences and how 
schedulers interact with the various features of SA, providing deep insights into 
the formalism itself. 

Our study furthermore forms the basis for the application of lightweight 
scheduler sampling (LSS) to SA. LSS is a technique to use Monte Carlo sim- 
ulation/statistical model checking with nondeterministic models. On every LSS 
simulation step, a pseudo-random number generator (PRNG) is re-seeded with 
a hash of the identifier of the current scheduler and the (restricted) information 
about the current state (and previous states, for history-dependent schedulers) 
that the scheduler’s class may observe. The PRNG’s first iterate then determines 
the scheduler’s action deterministically. LSS has been successfully applied to 
MDP [18,31,32] and probabilistic timed automata [15,26]. Using only constant 
memory, LSS samples schedulers uniformly from a selected scheduler class to find 
“near-optimal” schedulers that conservatively approximate the true extremal 
probabilities. Its principal advantage is that it is largely indifferent to the size 
of the state space and of the scheduler space; in general, sampling efficiency 
depends only on the likelihood of selecting near-optimal schedulers. However, 
the mass of near-optimal schedulers in a scheduler class that also includes the 
optimal scheduler may be less than the mass in a class that does not include 
it. Given that the mass of optimal schedulers may be vanishingly small, it may 
be advantageous to sample from a class of less powerful schedulers. We explore 
these tradeoffs and demonstrate the concept of LSS for SA in Sect. 5. 


Other Related Work. Alur et al. first mention nondeterministic stochastic 
systems similar to SA in [2]. Markov automata (MA [19]), interactive Markov 
chains (IMC [27]) and CTMDP are special cases of SA restricted to exponential 
distributions. Song et al. [37] look into partial information distributed schedulers 
for MA, combining earlier works of de Alfaro [1] and Giro and D’Argenio [20] 
for MDP. Their focus is on information flow and hiding in parallel specifications. 
Wolf et al. [39] investigate the power of classic (time-abstract, deterministic and 
memoryless) scheduler classes for IMC. They establish (non-strict) subset rela- 
tionships for almost all classes w.r.t. trace distribution equivalence, a very strong 
measure. Wolovick and Johr [41] show that the class of measurable schedulers 
for CTMDP is complete and sufficient for reachability problems. 


2 Preliminaries 


For a given set S, its power set is P(S). We denote by R, Rt, and Rọ the sets of 
real numbers, positive real numbers and non-negative real numbers, respectively. 
A (discrete) probability distribution over a set 2 is a function u: R — [0,1], such 
that support(u) = {w € 2 | u(w) > 0} is countable and > wesupport(n) Hw) = 1. 
Dist(.2) is the set of probability distributions over 2. We write D(w) for the Dirac 
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distribution for w, defined by D(w)(w) = 1. R is measurable if it is endowed 
with a o-algebra o(2): a collection of measurable subsets of 2. A (continuous) 
probability measure over 92 is a function u: o(2) — [0,1], such that u(Q) = 1 
and p(Uier Bi) = X ier u(B;) for any countable index set J and pairwise disjoint 
measurable sets B; C 2. Prob(2) is the set of probability measures over 2. Each 
u € Dist(2) induces a probability measure. Given probability measures u and 
H2, we denote by j41 ® u2 the product measure: the unique probability measure 
such that (fo ® f2)(By x B2) = (Bi) - u2(B2), for all measurable Bı and Bo. 
For a collection of measures (ui)icz, we analogously denote the product measure 
by @jerHi- Let Val = V — Rý be the set of valuations for an (implicit) 
set V of (non-negative real-valued) variables. O € Val assigns value zero to all 
variables. Given X C V and v € Val, we write v[X] for the valuation defined 
by v[X](x) = 0 if x € X and v[X](y) = v(y) otherwise. For t € Rf, v +t is the 
valuation defined by (v + t)(x) = v(x) + t for alla € V. 


Stochastic Automata [16] extend labelled transition systems with stochastic 
clocks: real-valued variables that increase synchronously with rate 1 over time 
and expire some random amount of time after having been restarted. Formally: 


Definition 1. A stochastic automaton (SA) is a tuple (Loc,C, A, E, F, linit), 
where Loc is a countable set of locations, C is a finite set of clocks, A is the 
finite action alphabet, and E: Loc — P(P(C) x A x P(C) x Dist(Loc)) is the 
edge function, which maps each location to a finite set of edges that in turn 
consist of a guard set of clocks, a label, a restart set of clocks and a distribution 
over target locations. F: C + Prob(R7) is the delay measure function that maps 
each clock to a probability measure, and lini E Loc is the initial location. 


We also write ¢ 2°", u for (G,a, R, pu) € E(é). W.l.o.g. we restrict to SA 


where edges are fully characterised by source state and action label, i.e. whenever 
Gi,a,R1 G2,a,R2 
£ —— 


E Hı and £ ——E H2, then Gy = Go, Ry = Ro and Hı = H2. 
Intuitively, an SA starts in fini with all clocks expired. An edge £ San, EH 
may be taken only if all clocks in G are expired. If any edge is enabled, some 
edge must be taken (i.e. all actions are urgent and thus the SA is closed). When 
an edge is taken, its action is a, all clocks in R are restarted, other expired 
clocks remain expired, and we move to successor location ¢’ with probability 
u(t’). There, another edge may be taken immediately or we may need to wait 
until some further clocks expire, and so on. When a clock c is restarted, the time 
until it expires is chosen randomly according to the probability measure F (c). 


Example 1. We show an example SA, Mo, in Fig. 1. Its initial location is £o. It 
has two clocks, x and y, with F(x) and F(y) both being the continuous uniform 
distribution over the interval [0,1]. No time can pass in locations fọ and 4, 
since they have outgoing edges with empty guard sets. We omit action labels 
and assume every edge to have a unique label. On entering 41, both clocks are 
restarted. The choice of going to either £2 or £3 from 44 is nondeterministic, since 
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[Mo]: — (£o, (0,0), (0, 0)) 
Mo: x: Uni(0, 1) ee ee ~ Uni(0, 1)? 
y: Unt(0, 1) 
D (£1, (0,0), (0, 09) - - - (£1, (0, 0), (e(z), e(y))) --- (£1, (0, 0), (1, 1)) 
R({x, y}) v y vy 


(£2, (0, 0), (e(x), e(y))) (£3, (0, 0), (e(x), e(y))) 
e(x) | (assume e(x)<e(y)) le) 
{x} (é2, (e(x), e(x)), (e(z), e(y))) (£3, (e(®), e(@)), (e(a), e(y))) 
+ + 
(V, (elx), e(x)), (e(z), e(y))) (X, (e(z), e(a)), (e(z), e(y))) 


Fig. 1. Example SA Mo Fig. 2. Excerpt of the TPTS semantics of Mo 


the two edges are always enabled at the same time. In 2, we have to wait until 
the first of the two clocks expires. If that is x, we have to move to location Vv; if it 
is y, we have to move to X. The probability that both expire at the same time is 
zero. Location £3 behaves analogously, but with the target states interchanged. 


Timed Probabilistic Transition Systems form the semantics of SA. They 
are finitely-nondeterministic uncountable-state transition systems: 


Definition 2. A (finitely nondeterministic) timed probabilistic transition sys- 
tem (TPTS) is a tuple (S, A',T, Sinit). S is a measurable set of states. A! = 
R* w A is the alphabet, partitioned into delays in Rt and jumps in A. 
T: S — P(A’ x Prob(S)) is the transition function, which maps each state to 
a finite set of transitions, each consisting of a label in A’ and a measure over 
target states. The initial state is Sin E€ S. For all s E€ S, we require |T(s)| = 1 
if A(t, u) € T(s): t ER*, i.e. states admitting delays are deterministic. 


We also write s Sr u for la, u) € T(s). A run is an infinite alternating sequence 
89498101... E (Sx A’)”, with so = Sinz. A history is a finite prefix of a run ending 
in a state, i.e. an element of (S x A’)* x S. Runs resolve all nondeterministic 
and probabilistic choices. A scheduler resolves only the nondeterminism: 


Definition 3. A measurable function s: (S x A’)* x S — Dist(A’ x Prob($)) is 
a scheduler if, for all histories h € (S x A’)* x S, (a, p) E€ support(s(h)) implies 
Ist, Sor u, where Ist;, is the last state of h. 


Once a scheduler has chosen s; >r Lt, the successor state s;+ 1 is picked randomly 
according to u. Every scheduler s defines a probability measure P, on the space 
of all runs. For a formal definition, see [40]. As is usual, we restrict to non-Zeno 
schedulers that make time diverge with probability one: we require P, (Ia) = 1, 
where T is the set of runs where the sum of delays is oo. In the remainder of this 
paper we consider extremal probabilities of reaching a set of goal locations G: 


Definition 4. For G C Loc, let Ja © { U, v,e) E S| LEG}. Let G bea 
class of schedulers. Then PS (G) and PS.„(G) are the minimum and maximum 
roa tabi probabilities for G under ©, defined as G) = infses Ps (Ije) 


and PS (G) = sup,cs Ps (Hye), repent eh 


max 


Poal 
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Semantics of Stochastic Automata. We present here the residual lifetimes 
semantics of [9], simplified for closed SA: any delay step must be of the minimum 
delay that makes some edge become enabled. 


Definition 5. The semantics of an SA M = (Loc,C, A, E, F, linit) is the TPTS 
[M] = (Loc x Val x Val, AW R*, Tm, (Linit, 0, 0)) 


where the states are triples (£, v,e) of the current location £, a valuation v assign- 
ing to each clock its current value, and a valuation e keeping track of all clocks’ 
expiration times. Tm is the smallest transition function satisfying inference rules 


L&R, ppu En(G,v,e) 


(€,v,e) S7,, HÌ D(v[R]) 8 Sample” 


teR+ Je ESR p p: En(Gyvtte) Yt Ejo, t), l 2E p u: WEn(G,v + t',e) 
(£, v,e) Sru D((E, v + t,e)) 


with En(G, v,e) = Va € G: v(x) > e(x) characterising the enabled edges and 


REQ F(c) ifceR 
e EC |) D(e(c)) ifc R. 
The second rule creates delay steps of t time units if no edge is enabled from now 


until just before t time units have elapsed (third premise) but then, after exactly 
t time units, some edge becomes enabled (second premise). The first rule applies 


Sample 


if an edge £ Sar pg Lis enabled: a transition is taken with the edge’s label, the 
successor state’s location is chosen by p, v is updated by resetting the clocks in R 
to zero, and the expiration times for the restarted clocks are resampled. All other 
expiration times remain unchanged. Notice that |M] is also a nondeterministic 
labelled Markov process [40] (a proof can be found in [17]). 


Example 2. Figure2 outlines the semantics of Mo. The first step from £o to all 
the states in 44 is a single transition. Its probability measure is the product of 
F(x) and F(y), sampling the expiration times of the two clocks. We exemplify 
the behaviour of all of these states by showing it for the case of expiration times 
e(x) and e(y), with e(x) < e(y). In this case, to maximise the probability of 
reaching v, we should take the transition to the state in 42. If a scheduler s can 
see the expiration times, noting that only their order matters here, it can always 


make the optimal choice and achieve PELC V})=1. 


3 Classes of Schedulers 


We now define classes of schedulers for SA with restricted information, hiding 
in various combinations the history and parts of states such as clock values and 
expiration times. All definitions consider TPTS as in Definition5 with states 
(¢,v,e) and we require for all s that (a, p} € support(s(h)) > Ist, >r u, as in 
Definition 3. 
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3.1 Classic Schedulers 


We first consider the “classic” complete-information setting where schedulers can 
in particular see expiration times. We start with restricted classes of history- 
dependent schedulers. Our first restriction hides the values of all clocks, only 
revealing the total time since the start of the history. This is inspired by the step- 
counting or time-tracking schedulers needed to obtain optimal step-bounded or 
time-bounded reachability probabilities on MDP or Markov automata: 


Definition 6. A classic history-dependent global-time scheduler is a measurable 
function s: (Sle t,e X A’)* x Slet e — Dist(A’ x Prob($)), where Slot = Loc x 
RE x Val with the second component being the total time t elapsed since the start 
of the history. We write Cy for the set of all such schedulers. 


We next hide the values of all clocks, revealing only their expiration times: 


Definition 7. A classic history-dependent location-based scheduler is a mea- 
surable function s5: (See x A’)* x Slee — Dist(A’ x Prob(S)), where Slee = 
Loc x Val, with the second component being the clock expiration times e. We 
write Spisi for the set of all such schedulers. 


Having defined three classes of classic history-dependent schedulers, Spet, 


Sr and Cr. noting that Spir denotes all schedulers of Definition 3, we 
also consider them with the restriction that they only see the relative order of 
clock expiration, instead of the exact expiration times: for each pair of clocks 
c1, C2, these schedulers see the relation ~ € {<, =, >} in e(c1) — v(c1) ~ e(c2) — 
v(c2). E.g. in 4&4 of Example 2, the scheduler would not see e(x) and e(y), but 
only whether e(x) < e(y) or vice-versa (since v(x) = u(y) = 0, and equality 
has probability 0 here). We consider this case because the expiration order is 
sufficient for the first algorithm of Bryans et al. [12], and would allow optimal 
decisions in Mo of Fig. 1. We denote the relative order information by o, and 
the corresponding scheduler classes by G7"s',, G7", and G?'s'. We now define 
memoryless schedulers, which only see the current state and are at the core of 
e.g. MDP model checking. On most formalisms, they suffice to obtain optimal 
reachability probabilities. 


Definition 8. A classic ne scheduler is a measurable function 5: S > 
Dist(A’ x Prob(S)). We write G7} , for the set of all such schedulers. 


We apply the same restrictions as for history-dependent schedulers: 


Definition 9. A classic memoryless global-time scheduler is a measurable func- 
sath 5: Slet. — Dist(A’ x Prob(S)), with Set. as in Definition 6. We write 
Cr : e for the set of all such schedulers. 


Definition 10. A classic memoryless location-based scheduler is a measurable 
function 5: Slee — Dist(A’ x Prob(S)), with Sle as in Definition 7. We write 
oy for the set of all such schedulers. 


Again, we also consider memoryless ela that an see the expiration order, 


so we have eas scheduler classes G7” or te 673, Gm STs and 


oe L,v,0? 


er. Class G7" ! is particularly attractive because it has a compact finite domain. 
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3.2 Non-prophetic Schedulers 


Consider the SA Mo in Fig. 1. No matter which of the previously defined sched- 
uler classes we choose, we always find a scheduler that achieves probability 1 to 
reach Y, and a scheduler that achieves probability 0. This is because they can all 
see the expiration times or expiration order of x and y when in 44. When in 4, 
x and y have not yet expired—this will only happen later, in 2 or @3—yet the 
schedulers already know which clock will “win”. The classic schedulers can thus 
be seen to make decisions based on the timing of future events. This prophetic 
scheduling has already been observed in [9], where a “fix” in the form of the spent 
lifetimes semantics was proposed. Hartmanns et al. [25] have shown that this not 
only still permits prophetic scheduling, but even admits divine scheduling, where 
a scheduler can change the future. The authors propose a complex non-prophetic 
semantics that provably removes all prophetic and divine behaviour. 

Much of the complication of the non-prophetic semantics of [25] is due to it 
being specified for open SA that include delayable actions. For the closed SA 
setting of this paper, prophetic scheduling can be more easily excluded by hiding 
from the schedulers all information about what will happen in the future of the 
system’s evolution. This information is only contained in the expiration times e 
or the expiration order o. We can thus keep the semantics of Sect. 2 and modify 
the definition of schedulers to exclude prophetic behaviour by construction. 

In what follows, we thus also consider all scheduler classes of Sect. 3.1 with 
the added constraint that the expiration times, resp. the expiration order, are not 
visible, resulting in the non-prophetic classes G/'s', GP", 67t, G7}, 677 and 


oe. Any non-prophetic scheduler can only reach Y of Mo with probability Z. 


4 The Power of Schedulers 


Now that we have defined a number of classes of schedulers, we need to determine 
what the effect of the restrictions is on our ability to optimally control an SA. 
We thus evaluate the power of scheduler classes w.r.t. unbounded reachability 
probabilities (Definition 4) on the semantics of SA. We will see that this simple 
setting already suffices to reveal interesting differences between scheduler classes. 

For two scheduler classes G; and Go, we write G; = Go if, for all SA and 
all sets of goal locations G, P$} (G) < PŠ2 (G) and PS1 (G) > PS2 (G). We 
write G,; > Gog if additionally there exists at least one SA and set G’ where 
PS (G’) < PS2 (G") or PŠ (G') > PS2,(G’). Finally, we write G; ~ Ge for 
G1 = Go A 62 = Gj, and 6, # Ga, i.e. the classes are incomparable, for 
6, 4 Go A Go # Gy. Unless noted otherwise, we omit proofs for G; = G2 
when it is obvious that the information available to ©, includes the information 
available to G2. All our distinguishing examples are based on the resolution of 
a single nondeterministic choice between two actions to eventually reach one of 
two locations. We therefore prove only w.r.t. the maximum probability, pmax, 
for these examples since the minimum probability is given by 1 — pmax and an 
analogous proof for Pmin can be made by relabelling locations. We may write 


Prax(O¥) for PSU V }) to improve readability. 
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CT, = Site = 6 < G 


£,v,0 
R WV A Q 
EI T: AE or < op < op 
A A x 2 A A A 
Si = Git = SL > eit, ett = Shy! = eit! 
Fig. 3. Hierarchy of classic scheduler classes Fig. 4. Non-prophetic classes 


4.1 The Classic Hierarchy 


We first establish that all classic history-dependent scheduler classes are equiv- 
alent: 

Proposition 1. G/'s', = Gp = of. 

Proof. From the transition labels in A’ = AWR* in the history (S’ x A’)*, with 
S” € { S, S|e t,e, S|e,e } depending on the scheduler class, we can reconstruct the 
total elapsed time as well as the values of all clocks: to obtain the total elapsed 
time, sum the labels in R* up to each state; to obtain the values of all clocks, do 
the same per clock and perform the resets of the edges identified by the actions. 


The same argument applies among the expiration-order history-dependent 
classes: 

Proposition 2. G/'s', = GP = Gp. 

However, the expiration-order history-dependent schedulers are strictly less pow- 
erful than the classic history-dependent ones: 

Proposition 3. 6/8! > Gist 


L,v,e £,v,0° 


Proof. Consider the SA M; in Fig.5. Note that the history does not provide 
any information for making the choice in 41: we always arrive after having spent 
zero time in fọ and then having taken the single edge to 41. We can analytically 
determine that P,,..(G7%",) = ł by going from 41 to £2 if e(x) < 5 and to fg 
otherwise. We would obtain a probability equal to 4 by always going to either 
fy or £3 or by picking either edge with equal probability. This is the best we can 
do if e is not visible, and thus Prraxe(Geeyo) = 3: in 4, v(x) = v(y) = 0 and the 
expiration order is always “y before x” because y has not yet been started. 


Just like for MDP and unbounded reachability probabilities, the classic history- 
dependent and memoryless schedulers with complete information are equivalent: 


Proposition 4. G/'*", ~ 6? 


Me 
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Mp: x: Uni(0, 8) 
? y: Uni(0, 1) 
z: Uni(0, 4) 


D 
Mi: x: Uni(0, 1) R({x, z}) 
y: Un1(0, 1) 


Fig. 5. SA Mı Fig. 6. SA M2 Fig. 7. SA Ms 


Proof sketch. Our definition of TPTS only allows finite nondeterministic choices, 
i.e. we have a very restricted form of continuous-space MDP. We can thus adapt 
the argument of the corresponding proof for MDP [5, Lemma 10.102]: For each 
state (of possibly countably many), we construct a notional optimal memoryless 
(and deterministic) scheduler in the same way, replacing the summation by an 
integration for the continuous measures in the transition function. It remains to 
show that this scheduler is indeed measurable. For TPTS that are the semantics 
of SA, this follows from the way clock values are used in the guard sets so that 
optimal decisions are constant over intervals of clock values and expiration times 
(see e.g. the arguments in [12] or [30]). 


On the other hand, when restricting schedulers to see the expiration order 
only, history-dependent and memoryless schedulers are no longer equivalent: 
Proposition 5. Cr. = SP o 


Proof. Consider the SA Mg in Fig. 6. Let gor ) be the (unknown) optimal 


(l,v,0 
scheduler in 67" | w.r.t. the max. probability of reaching /. Define Spee o) € 


£,v,0 
er as: when in £2 and the last edge in the history is the left one (i.e. x is 


expired), go to 3; otherwise, behave like Soni 
hist, and G7! 


£,v,0 £,v,0 
and only if there are some combinations of clock values (aspect v) and expiration 
orders (aspect o) in £2 that can be reached with positive probability via the left 
edge into £2, for which Bias must nevertheless decide to go to 4. 
All possible clock valuations in £2 can be achieved via either the left or the 
right edge, but taking the left edge implies that x expires before z in fg. It 


is thus sufficient to show that Cee o) must go to l4 in some cases where x 


hae This scheduler distinguishes 
(by achieving a strictly higher max. probability than ead) if 


394 P. R. D’Argenio et al. 


expires before z. The general form of schedulers in Cys in £2 is “go to é3 iff 
(a) x expires before z and v(x) € Sı or (b) z expires before x and v(x) € S2” 
where the S; are measurable subsets of [0,8]. Sz is in fact irrelevant: whatever 
So acs does when (b) is satisfied will be mimicked by Bhi v,0) because z can 
only expire before x when coming via the right edge into 2. Conditions (a) and 
(b) are independent. 

With Sı = [0,8], ay max. probability is T= = 0.802083. Since this is the 


only scheduler in G7” Hb vo that is relevant for our pros and never goes to l4 when 


x cg before z, it remains to show that the max. probability under sori iaa 


is >¢ 7. With Sı = [0, 3), we have a max. probability of 7561 ~ 0.820421. Thus 


9216 
opt better 
st must sometimes go to l4 even when the left edge was taken, so Shist(l,v,o) 


achieves a higher probability and thus distinguishes the classes. 


Knowing only the global elapsed time is less powerful than knowing the full 
history or the values of all clocks: 


Proposition 6. 6}! > 67%. and Gf) o > OPi e- 
Proof sketch. Consider the SA M3 in Fig. 7. We have P,,,,(G?s*) = 1: when 
in €3, the scheduler sees from the history which of the two incoming edges was 
used, and thus knows whether x or y is already expired. It can then make the 
optimal choice: go to £4 if x is already expired, or to £5 otherwise. We also have 
Prrax(S7%, e) = 1: the scheduler sees that either v(x) = 0 or v(y) = 0, which 
implies that the other clock is already expired, and the argument above applies. 
However, Pyax(G7/.) < 1: the distribution of elapsed time t on entering 3 is 
itself independent of which edge is taken. With probability L, exactly one of e(x) 
and e(y) is below t in £3, which implies that that clock has just expired and thus 
the scheduler can decide optimally. Yet with probability 3, the expiration times 
are not useful: they are both positive and drawn from the same distribution, 
but one unknown clock is expired. The wait for x in 44 ensures that comparing 
t with the expiration times in e does not reveal further information in this case. 


In the case of MDP, knowing the total elapsed time (i.e. steps) does not make 
a difference for unbounded reachability. Only for step-bounded properties is that 
extra knowledge necessary to achieve optimal probabilities. With SA, however, 
it makes a difference even in the unbounded case: 


Proposition 7. er e > = S7. 


Proof. Consider SA M; in Fig. 8. We have Pia.) = 1: in %2, the remaining 
time until y expires is e(y) and the remaining time until x expires is e(x) — t for 
the global time value ¢ as Z2 is entered. The scheduler can observe all of these 
quantities and thus optimally go to ¢3 if x will expire first, or to 4 otherwise. 
However, P.,ax(G7!) < 1: e(x) only contains the absolute expiration time of x, 
but withicut knowing t or the expiration time of z in 44, and thus the current 
value v(x), this scheduler cannot know with certainty which of the clocks will 


expire first and is therefore unable to make an optimal choice in 3. 
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Ma: z: Vee) Ms: x: Uni(0, 1) Me: x: Uni(0, 1) 
A baa y: Unt(0, 1) y: UNI(O 1) 
D D 
R({x, z}) R({z, y}) R({z, y}) 


Fig. 8. SA M4 Fig. 9. SA Ms Fig. 10. SA Me 


Finally, we need to compare the memoryless schedulers that see the clock expi- 
ration times with memoryless schedulers that see the expiration order. As noted 
in Sect. 3.1, these two views of the current state are incomparable unless we also 
see the clock values: 

Proposition 8. G7! > 67” 


loe” L,v,0° 


Proof. G7" m Te 4 Gf ie v.o follows from the same argument as in the proof of Propo- 


lve 
expiration tires e is equivalent to knowing the expiration order, since that is 


precisely the order of the differences e(c) — v(c) for all clocks c. 


sition 3. 67! > or | is because knowing the current clock values v and the 


Proposition 9. 67}. % G7}. 


Proof. G7" n oro” h l o follows from the same argument as in the proof of Propo- 
sition 3. For G7! he F or t,o, consider the SA M3 of Fig. 7. We know from the 
proof of Proposition6 that P,,,.(67.) < 1. However, if the scheduler knows 
the order in which the clocks will expire, it knows which one has already expired 
(the first one in the order), and can thus make the optimal choice in ¢3 to achieve 


Prax (G7?) = =1. 
Proposition 10. 67”! % 673. 


Proof. The argument of Proposition9 applies by observing that, in M3 of 
Fig.7, we also have Pmax (57) < 1 via the same argument as for Syl, i in 
the proof of Proposition 6. 


Among the expiration-order schedulers, the hierarchy is as expected: 
Proposition 11. 67? > G7 >= om 


A 
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Proof sketch. Consider Ms of Fig. 9. To maximise the probability, in 03 we should 
go to 4 whenever z is already expired or close to expiring, for which the amount 
of time spent in 42 is an TOOD, S7 only knows that x may have expired 
when the eP order is “x Dor y”, but definitely has not expired when it 
is “y before x”. Schedulers in 677 t,o can do better: They also see the amount of 
time spent in £2. Thus 67, > G7. If we modify M5 by adding an initial delay 
on z from a new lo to 41 as in Mg, then the same argument can be used to prove 
or ne ae or t,o. the extra delay makes knowing the elapsed time ¢ useless with 


positive probability, but the exact time spent in lə is visible to G7”, as v(x). 


L,v,0 


We have thus established the hierarchy of classic schedulers shown in Fig. 3, 
noting that some of the relationships follow from the propositions by transitivity. 


4.2 The Non-prophetic Hierarchy 


Each non-prophetic scheduler class is clearly dominated by the classic and 
expiration-order scheduler classes that otherwise have the same information, 
for example Gjt = ei (with very simple distinguishing SA). We show that 
the non- prophetic T a follows the shape of the classic case, including the 
difference between global-time and pure memoryless schedulers, with the notable 


exception of memoryless schedulers being weaker than history-dependent ones. 
Proposition 12. G/'s! ~ Gps! = GP. 

Proof. This follows from the argument of Proposition 1. 

Proposition 13. G/'s' > 67". 


Proof. Consider the SA Mg in Fig. 10. It is similar to M4 of Fig.8, and our 
arguments are thus similar to the proof of Proposition7. On Mg, we have 

Poo, = = 1: in ég, the history reveals which of the two incoming edges was 
used, i.e. which clock is already expired, thus the scheduler can make the optimal 
choice. However, if neither the history nor e is available, we get Pral) = =i 
the only information that can be used in £2 are the values of the clocks, but 


v(x) = u(y), so there is no basis for an informed choice. 
Proposition 14. 6%* > G7) and G7} > G7. 


Proof. Consider a SA M; in Fig. 7. We have P,,,, (GP) = (67!) = 1, 
but Prax (7% 1) = 4 by the same arguments as in the proof of Proposition 6. 


Pi ax 


Proposition 15. 67, l G, 


Proof. Consider the SA M4 in Fig. 8. The schedulers in 67” have no information 
but the current location, so they cannot make an informed choice in 42. This and 
the simple loop-free structure of M4 make it possible to analytically calculate 
the resulting probability: P,,..(67") = 4£ = 0.7083. If information about the 
global elapsed time t in 42 is available, however, the value of x is revealed. This 
allows making a better choice, e.g. going to l3 when t < 4 and to €4 otherwise, 
resulting in Prax (G7 !) ~ 0.771 (statistically estimated with high confidence). 
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We have thus established the hierarchy of non-prophetic schedulers shown in 
Fig. 4, where some relationships follow from the propositions by transitivity. 


5 Experiments 


We have built a prototype implementation of lightweight scheduler sampling for 
SA by extending the MODEST TOOLSET’s [24] MODES simulator, which already 
supports deterministic stochastic timed automata (STA [8]). With some care, 
SA can be encoded into STA. Using the original algorithm for MDP of [18], 
our prototype works by providing to the schedulers a discretised view of the 
continuous components of the SA’s semantics, which, we recall, is a continuous- 
space MDP. The currently implemented discretisation is simple: for each real- 
valued quantity (the value v(c) of clock c, its expiration time e(c), and the global 
elapsed time t), it identifies all values that lie within the same interval [4, Ht), 
for integers i, n. We note that better static discretisations are almost certainly 
possible, e.g. a region construction for the clock values as in [30]. 

We have modelled Mı through Mg as STA in MopesrT. For each sched- 
uler class and model in the proof of a proposition, and discretisation factors 
n € {1,2,4}, we sampled 10000 schedulers and performed statistical model 
checking for each of them in the lightweight manner. In Fig. 11 we report the min. 
and max. estimates, (min, Pmax)..., over all sampled schedulers. Where different 
discretisations lead to different estimates, we report the most extremal values. 
The subscript denotes the discretisation factors that achieved the reported esti- 
mates. The analysis for each sampled scheduler was performed with a number of 
simulation runs sufficient for the overall max./min. estimates to be within +0.01 
of the true maxima/minima of the sampled set of schedulers with probability 
>0.95 [18]. Note that Ĥmin is an upper bound on the true minimum probability 
and Pmax is a lower bound on the true maximum probability. 

Increasing the discretisation factor or increasing the scheduler power gener- 
ally increases the number of decisions the schedulers can make. This may also 
increase the number of critical decisions a scheduler must make to achieve the 
extremal probability. Hence, the sets of discretisation factors associated to spe- 
cific experiments may be informally interpreted in the following way: 


— {1,2,4}: Fine discretisation is not important for optimality and optimal 
schedulers are not rare. 

— {1,2}: Fine discretisation is not important for optimality, but increases rarity 
of optimal schedulers. 

— {2,4}: Fine discretisation is important for optimality, optimal schedulers are 
not rare. 

— {1}: Optimal schedulers are very rare. 

— {2}: Fine discretisation is important for optimality, but increases rarity of 
schedulers. 

— {4}: Fine discretisation is important for optimality and optimal schedulers 
are not rare. 
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SFist: (0.24,0.76)2,4 ©% : (0.00,1.00)1 GPs’ : (0.06, 0.94)1,2,4 SF o: (0-15, 0.86)4 
SFist: (0.49, 0.51)1,2,4 SZ e: (0.12,0.86)4 SP", ,: (0.18,0.83). 67} : (0.16, 0.84)1,2,4 
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S7}: (0.22, 0.78)2,4 
Proposition 10: er: (0.00, 1.00)1,2,4 epi: (0.28, 0.72)1 2,4 
epl: (0.24, 0.76)2,4 Proposition 14: - 
GP! : (0.49,0.51)1,2,4 SPs: (0.00, 1.00); ,2 

67%, : (0.21, 0.78)4 

ort : (0.49, 0.51)1,2,4 


Fig. 11. Results from the prototype of lightweight scheduler sampling for SA 


The results in Fig. 11 respect and differentiate our hierarchy. In most cases, we 
found schedulers whose estimates were within the statistical error of calculated 
optima or of high confidence estimates achieved by alternative statistical tech- 
niques. The exceptions involve M3 and M4. We note that M4 makes use of an 
additional clock, increasing the dimensionality of the problem and potentially 
making near-optimal schedulers rarer. The best result for M3 and class G7"! , 
was obtained using discretisation factor n = 2: a compromise between nearness 
to optimality and rarity. A greater compromise was necessary for M4 and classes 
Gm, Gm, where we found near-optimal schedulers to be very rare and achieved 
best results using discretisation factor n = 1. 

The experiments demonstrate that lightweight scheduler sampling can pro- 
duce useful and informative results with SA. The present theoretical results will 
allow us to develop better abstractions for SA and thus to construct a refinement 
algorithm for efficient lightweight verification of SA that will be applicable to 
realistically sized case studies. As is, they already demonstrate the importance 
of selecting a proper scheduler class for efficient verification, and that restricted 
classes are useful in planning scenarios. 


6 Conclusion 


We have shown that the various notions of information available to a scheduler 
class, such as history, clock order, expiration times or overall elapsed time, almost 
all make distinct contributions to the power of the class in SA. Our choice of 
notions was based on classic scheduler classes relevant for other stochastic mod- 
els, previous literature on the character of nondeterminism in and verification of 
SA, and the need to synthesise simple schedulers in planning. Our distinguishing 
examples clearly expose how to exploit each notion to improve the probability 
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of reaching a goal. For verification of SA, we have demonstrated the feasibility 
of lightweight scheduler sampling, where the different notions may be used to 
finely control the power of the lightweight schedulers. To solve stochastic timed 
planning problems defined via SA, our analysis helps in the case-by-case selec- 
tion of an appropriate scheduler class that achieves the desired tradeoff between 
optimal probabilities and ease of implementation of the resulting plan. 

We expect the arguments of this paper to extend to steady-state/frequency 
measures (by adding loops back from absorbing to initial states in our examples), 
and that our results for classic schedulers transfer to SA with delayable actions. 
We propose to use the results to develop better abstractions for SA, the next 
goal being a refinement algorithm for efficient lightweight verification of SA. 
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Abstract. We study quantitative properties of the response time in 
stochastic models. For instance, we are interested in quantifying bounds 
such that a high percentage of the runs answers a query within these 
bounds. To study such problems, computing probabilities on a state- 
space blown-up by a factor depending on the bound could be used, but 
this solution is not satisfactory when the bound is large. 

In this paper, we propose a new symbolic method to quantify bounds 
on the response time, using the moments of the distribution of sim- 
ple stochastic systems. We prove that the distribution (and hence the 
bounds) is uniquely defined given its moments. We provide optimal 
bounds for the response time over all distributions having a pair of 
these moments. We explain how to symbolically compute in polynomial 
time any moment of the distribution of response times using adequately- 
defined semirings. This allows us to compute optimal bounds in para- 
metric models and to reduce complexity for computing optimal bounds 
in hierarchical models. 


1 Introduction 


Response time has been considered lately as an important property of systems 
[8, 15,21]. In this context, one does not simply want a query to be answered even- 
tually, but to be answered in a reasonable amount of time. In the model-checking 
community, problems on response time have been studied mainly qualitatively, 
in the context of (pure, that is non stochastic) two-player games [8,21]. There, 
one looks for a strategy ensuring that the lim-sup of response time is finite. It 
ensures that under this strategy, there will be a bound on the response time to 
any query. This has been extended in [15] to a quantitative setting, where one 
wants to optimize the mean response time in a pure two-player game. 

In this paper, we consider stochastic systems. In such systems, the response 
time is a random variable, unlikely to be bounded as even a single probabilistic 
loop on a reachable state will make the response time longer than T for a set 
of runs of small but positive probability, no matter T. Instead, we propose to 
quantify such response times. One way to do that is to obtain the distribution 
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of response times. Another way is to compute, for a probability 0 < p < 1, the 
bound T that is satisfied (by a set of runs) with probability at least 1 — p. In 
this paper, we tackle both problems. For that, we use the concept of moments 
of the distribution of response times, as described next. 

The moment of order r of a probability distribution 6 over R or R* is defined 
as the integral of «”d(x) over the support of 6, when defined (that is if x”ô(x) is 
measurable and the integral is defined). For instance, the moment of order 1 is 
the expected value of 6, while the moment of order 2 allows one to compute the 
standard deviation of 6. Inspired by the computation of entropy for automata [10] 
(see also [1] for the computation of entropy for (non-Zeno) timed-automata), we 
design new semirings in which each moment corresponds to the sum of weights of 
runs reaching a state. This construction can be applied to probabilistic automata 
(that is, labeled discrete time Markov chains), as well as labeled continuous time 
Markov chains, where time is continuous and is drawn according to some rate. 
Adapting the Floyd-Warshall algorithm provides a symbolic way to perform the 
computation of the n first moments in time cubic in the number of states of the 
Markov Chain, and quadratic in n. For any n, we can thus compute the value 
of the first n moments. In some sense, we extend the approach of [12,16] from 
computing probabilities to computing any moments. This allows us to evaluate 
the distribution of response times in two ways: 

Firstly, thanks to the symbolic expression of moments, we prove that there 
is a unique distribution having the moments of a distribution of response times 
of a probabilistic automaton. We can then build a sequence of distributions 
matching the first n moments, for instance the maximal entropy one [11]. Here, 
maximal entropy means assuming the least information besides these moments. 
This sequence of distributions is then ensured to converge in law towards the 
distribution of response times. 

Secondly, we study optimal symbolic bounds on the time to answer a high 
percentage of queries, obtained from moments. The Tchebychev inequality pro- 
vides optimal symbolic bounds when considering the space of distributions hav- 
ing one given moment, of any order 7. We obtain bounds optimal in the space 
of distributions having two given moments, of any orders i, j. We show how this 
improves Tchebychev bounds on some example. Having symbolic methods allows 
for instance to deal with parametric systems where the parameters represent 
uncertain probabilities. In this case, we can compute optimal bounds satisfying 
all valuations of parameters. For hierarchical systems [3], which are compact 
representations of large systems, our symbolic method allows to design a much 
more efficient algorithm (e.g. it does not consider twice the same component) to 
compute the moments, and thus the bounds. Missing proofs can be found in [5]. 


Related Work: Response times in stochastic systems have been studied for a 
long time by the perf.eval. community under the name “first passage times”, 
e.g. in [22]. Techniques used in this community to compute moments of Markov 
chains are mostly based on numerical methods, e.g. [13]. While [13] has the same 
complexity as our symbolic technique, it is very efficient on explicit models. How- 
ever, these numerical methods are less adaptable than our symbolic algorithm, 
in particular concerning parametric or hierarchical systems. 
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Concerning the determinacy of the distribution given moments, it is known 
[20] that phase-type distributions of order n are determined by their first 2n — 1 
moments. First passage distribution time in Markov chains with n states are 
phase type distribution of order n. However, [20] does not help characterizing 
bounds as it does not ensure that a non-phase type distribution cannot have the 
exact same moments as a phase type distribution, unlike our result. 

Bounding the response time has also been studied in the perf.eval. commu- 
nity. Again, methods used there are mostly numerical [6,19]. In [19] (pp. 68-69), 
a symbolic bound is also provided in the particular case of moments of order 1, 
2 and 3. In [2], it is shown how to use the two first moments of response time 
across various components to compute general bounds, using techniques close 
to ours, but restricted to moments of order 1 and 2. In our paper, we provide 
optimal bounds for any order (i, j) € N?. Taking into account moments of order 
i,j > 3 is important when the proportion of runs to answer is close to 1. 

Last, computing moments find other applications. For instance, in [4,7,14], 
complex functions describing the evolution of molecular species are approximated 
using the first k moments, for some k. 


2 Probabilistic Automata 


We first introduce a simple class of models, namely probabilistic automata (also 
called labeled discrete time Markov chains), on which we can demonstrate our 
techniques. Later, we will extend our results to handle continuous time, con- 
sidering Continuous-Time Markov Chains (CTMC), as well as parametric and 
hierarchical systems. 


Definition 1. A probabilistic automaton A over a finite alphabet X is a tuple 
(S, Pr, do) where: 


— S is a finite set of states, 
- Pr: Sx Xx S — [0,1] is a stochastic transition function such that for all 


seS, X, Pr(s,a,t) =1: the weights of paths leaving s sum to 1, 
aed tes 
- 69: S — [0,1] is the initial distribution over states such that X` ôo(s) = 1. 
ses 


Example 1. For instance, the model depicted on Fig. 1 is a probabilistic automa- 
ton with 3 states {1,2,3}. There is a transition between 1 and 2 labeled query 
with probability 1. From state 2, with probability .9 we stay in state 2 with a 
transition labeled wait, and with probability .1 we go to state 3 with a transition 
labeled response. We loop in state 3 with probability 1. 


wait compute 


{ 1 
query response 


Fig. 1. A simple example of a query-response model 
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A finite sequence 7 = 89,01, $1,---,@n, $n E (S2)"S is called a finite path 
starting from sg and ending in sn, and a transition t € m if t = sja;415;41 for 
some i. We denote |t| = n the length of the path mr. For a path m, ending in 
Sn and a path m2 starting from sn, we can define the concatenated path 7 - 72 
where the last node of mı and the first node of 72 are merged. A path 7, is a 
prefix of m if there exists a path m2 such that 7-72 = T. 

For a path 7 starting in a state so, we define P(r) = [] Pr(t) the probability 

ten 


that a path with prefix 7 is executed from sọ. A path ~ is realizable if P(r) > 0. 

Let s be a state, and J be a set of finite paths starting from s such that 
no path in I is a prefix of another path in IJ. Then the probability that a 
path starting from s has a prefix in H is P(IZ) = >> P(p). We say that IZ is 

pell 
disjoint if no path p of II is a prefix of another path p’ Æ p of II or similarly, 
Cyl(p)N Cyl(p') = 0 with Cyl(p) = {z, p prefix of m}. 

Some labels of an automaton will be of particular interest concerning response 
time. Let Xo C X be a subset of labels standing for queries, and Xr C X be a 
subset of labels standing for responses. For simplicity, we will assume that there 
is a unique query type Xo = {q} and a unique response type Xr = {r}, with 
q # r. We will also assume that there is no path with two (similar) queries q. 
To handle cases with several query/response types, it suffices for each type to 
consider only queries and answers of that type and disregard other types. 


Problem Statement: We are interested in quantifying the time between queries 
and responses, called the response time, which is a random variable. A way 
to quantify it is to produce the distribution of response times, either for each 
transition labeled by a query, or averaged on these transitions, weighted by the 
probability to see each of these transitions. Another way is to answer model- 
checking questions such as: what is the smallest delay T such that the mass of 
paths unanswered after T units of time is smaller than some probability p? 

To compute both the distribution and the delay T, we will use the so called 
moments of the distribution of response times. The moment of order 1 is the mean 
value, and the moment of order 2 allows to compute the standard deviation. 


3 Symbolically Computing Moments Using Semirings 


In this section, we define moments and explain how to compute them symbolically 
using appropriately-defined semirings. 

Let X be the random variable of the response time. If all queries are answered, 
then X takes values in Nmaz, else X takes values in Nmax U {oo}. Let p(x) be 
the probability that the response is obtained x units of time after the query, that 
is, the probability that X = x. Variable p is a distribution over response time, 
with $ p(z) = 1. 


Definition 2. For p:N— [0,1] and n € N, we define the n-th moment of p by 
Sen p(z): £” = E(X”), that is the expected value of X”. 
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3.1 Semirings Associated with Moments 


We will compute moments of the distribution of response times by considering 
each query individually. We can then take e.g. the average over all queries (as 
we assumed that there are no two queries on the same path). Thus, we first fix 
a state q, target of a transition labeled by a query. State q symbolizes that a 
query has just been asked. We then let R be the set of target states of transitions 
labeled by a response. A state is in R if a response to this query has just been 
given. For instance, on Fig. 1, we have q = 2 and R = {3}. 

We introduce a set of semirings that will allow us to compute symbolically the 
moment of order n of the distribution of response times to the query associated 
with state q, for all n € N. We will compute the moment inductively on a disjoint 
subset JI of paths of A from q to R. For an integer n, we denote un(H) = 

5 P(p)l|o|”. Let Path? be the set of paths in the automaton A between q and 
pell 


the first occurrence of R. Notice that Path? is disjoint. Thus, we have that 


Hn(Path? ) is the moment of order n of the distribution of response times to 
the query associated with state q. To avoid some heavy notations, when R is 
reduced to one state t, let 4,(Path’) be the set of paths between s to the first 
occurrence of t and we denote in(s,t) = un(Pathż). 

We now give some properties of u. Let Iı be a set of paths ending in some 
state s and let Io be a set of paths starting from s. We denote by IZ; - Mo the 
set of paths p1p2 with pı E€ Mı and p2 € Ho. 

n 


Proposition 1. For alln, we have pn(IM - Hz) = X (Y) ui): tn-l) 
i=0 


This property hints to a set of semirings (R, n, 8n, On, In) with good prop- 


erties to compute moments. For (n + 1)-tuples (xo0,...,%n) and (yo,.--,%n), we 
define operations ®, and ®y: 


— (X0,-++;2n) Bn (Yo, +++; Yn) = (Zo + Yo,- +++ Fn + Yn) 
i (xo, aay sip) 8n (yo, ied Yn) = (z0, pace | Zn) with Zi = D ()TjYi-i 
j=0 
The neutral element for @, is On = (0,...,0). 0, is an annihilator for &n. 
The neutral element for 8n is I„ = (1,0,...,0). In the following, we will denote 
the different laws and elements by ®, ®, 0 and T. 


Proposition 2. For n > 0, (R"*!,&,@,0,1) defines a commutative semiring. 


Notice that if for all i < n, we have z; = (Il) and yi = p(l), denoting 
(Z0,-++;2n) = (%o,--+;Ln) @n (Yo; ---; Yn), we get wi(I, - M2) = zi. Further, if 
both J, Iz are disjoint, and if no path of I, (resp. M2) is a prefix of a path of 
Io (resp. ID), then uilh U II) =m; + Yi. 
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3.2 Computations in a Semiring 


Following the Floyd-Warshall algorithm to sum weights of paths reaching a state, 
we will decompose inductively Path? using operations U and -. We will then use 
the semiring (R”+1, 9,8,0,1) to perform these computations inductively. The 
induction will be over the number of states in S. Let G be a subset of S disjoint 
with R: GN R = 0. For all state s € S \ R, we define Path‘ (G) = {so--+ Sn | 
So = S, Sn = t,V1 < i < n — 1,si € G} the set of paths from state s to state t 
using only states G, except for the initial state, which is s and for the last state 
which is t, even if s,t € Ror s,t ¢ G. 

For a set of paths I, we define wn( H) = (P(II), (II), ..., fn(ZZ)). Let 
g € G be a state of G. A path p in Patht (G) has two possibilities: either it does 
not use g, or it uses g one or several times. We deduce the inductive formula: 


Proposition 3. wn (Path, (G)) = wr,(Path‘’(G \ {g}))® 
Wn(Path?(G \ {g})) 8 (@ wn (Path; (G \ {g}))®*) @ Wn (Path, (G \ {g})) 


Proof (Sketch of). If p does not use g, we have p is in Path! (G\ {g}). Otherwise, 
p can be expressed as po... pp with: 


— po is in Path? (G \ {g}), 
- pr is in Path; (G \ {g}), 
~ and for all 0 < j < k, pj € Path§(G \ {g}). 


We can then write an inductive formula satisfied by Path{(G): 


Path‘ (Ø) = {(s,a,t) | Pr(s,a,t) £0} 


Path’ (G) = Path! (G\ {9} U U{p0-.-px | po € Path? (G \ {9}, 
k=1 


pk € Path, (G \ {g}), Vi € [1,k — 1], p; € Path? (G \ {9})} 


In order to use this formula, we need to compute @ wn (Path (G \ {g}))°* = 
k=1 


wWn(Path$(G)), which represents what happens along a cycle from g to g. Let 
(g, II) a pair with g a state and JI a set of paths (cycles) using g exactly twice: 
the first state and the last states are g. The pair (g, Path? (G \ {g})) satisfies 


this property. We define w* (IT) = @w,,(I7)®*. The restriction on (r, IT) ensures 
k=1 


that U 17®* is disjoint. We show that w* (II) is defined in most cases, namely 
k=1 
when P(/7) < 1. 


Proposition 4. Let IT be a set of paths using state g exactly twice, as first and 
last state. If P(II) < 1, then 
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Co 


w* (I) [0] = wi) = P(|_) m9) = A and for i > 0 
k=1 
. i . oo 7 1 i— 1l i , . 
wp (I) [i] = ma Juen =I -PUD 2 6 wn (I)i — j] x wp UZ) II] 


Notice that P(I) = 1 describes cases where s cannot reach t (as t ¢ G, 
if P(w,(Path$(G)) = 1, it would mean that every path reaching g stays in 
G forever, and in particular never meets t). Thus, we first compute the set of 
states Sı from which there exists a path to R. Notice that for each set JI of paths 
ending in g € S4 \ R, we have P(I) < 1, because there is a positive probability 
to reach R from g, which is not captured by paths in H. 


3.3 A Symbolic Algorithm 


From the inductive formulae to compute set of paths from subsets of paths and to 
compute w% (IT)[i] from w* (IT)[j] for j < i, we deduce Algorithm 1, following the 
ideas of Floyd-Warshall, incrementally adding non response states from S1 \ R, 
which can be used as intermediate states. Notice that states in S \ S1 cannot 
reach R anyway. This algorithm is symbolic (or algebraic) in that every constant 
(e.g. Pr(s,a,t)) can be replaced by a variable (see e.g. Sect. 4.2). 


Theorem 1. Let A = (S,6,69) be a probabilistic automaton. One can compute 
wi(s,t) for alli <n and s,t € S in time O(n? x |S|9). 


Proof. In Algorithm 1, after running the outer for-loop on g1,...,gj, we have 
wn(s,t)[n] = pn(Path’({g1,...,g;})). At the end of Algorithm 1, we obtain 
Wn(s, t)[n] = un(Patht) = p,,(s, t). 


Algorithm 1: Algorithm computing the moment of order n 


for s € S do 
for t € S do 
%lnitialization 
wi= >> Pr(s,a,t) 
acy 
wWn(s,t) = (w,w,...,w) 
end 
end 
for g € Sı \ R do 
for s € S do 
for t € S do 
| wn (s, t) := wn(s, t) ® wn(s, g) ® wnl(g, 9) ® wn(g, t) 
end 
end 


end 
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To obtain u;(s,t) for all i < n, it suffices to run Algorithm 1 inductively on 
moment of order 1,...,n. Computing w*|i](s, ¢) in the inner for-loop takes time 
O(i) as wn[j](s,t) = w;[j](s,t) has already been computed inductively for all 


j < i. This yields the complexity of O()05_, i x |S’) = O(n? x |S|°). 


Now, for each query q, we have yi(Path?) = Veer tilg r), as Pathy and 
Path? have no path prefix of each other for rı Æ r2,rı,r2 € R. Now, the 
moment of order n of the distribution of response times of q is formally either co 
if jio(Path;”) < 1 (there is positive probability to never answer q, that is have 


infinite response time), and un (Path? ) otherwise. 


Example 2. For the example of Fig.1, unfolding the algorithm for n = 2 (that 
is for probability, and moments of order 1 and 2) gives after initialization: 
w(1,2) = (1,1,1), w(2,2) = (0.9,0.9,0.9), w(2,3) = (0.1,0.1,0.1), and 
w(1,3) = (0,0,0), as there is no direct transition from state 1 to state 3. 
There are no paths with intermediary states 1 or 3, so g = 1 or g = 3 does 
not have any impact. For paths with intermediary states g = 2, the algorithm 
gives: 


~ w(2,2) — w(2,2) @ w(2,2) @ w(2,2)* @ w(2,2) = w(2,2) @ w(2,2)* 
— w(2,3) — w(2,3) 6 w(2, 2) & w(2, 2)* @ w(2, 3) = w(2,3) 8 w(2, 2)* 
— w(1,3) — w(1,3) @ w(1, 2) ® w(2, 2)* ® w(2, 3) 


We have w(2,2)* = (aby, cota woe + ERP) = (10, 90, 1710) 
At the end of the algorithm, we obtain p;(2,3) = m(Path{”) = w(2,3) = 
(0.1, 0.1, 0.1)@(10, 90,1710) = (1,10, 190). Hence, in this probabilistic automata, 


the probability of responding to the query is 1, in a mean time of 10, with a 
standard deviation of v 190 — 10? = 9.5. 


3.4 Extension to Continuous Time 


We now extend the symbolic computation of moments to continuous time 
Markov Chains (CTMCs). In order to be as close as possible to the setting of 
probabilistic automata, we use the sojourn time representation of CTMCs. This 
representation is fully equivalent with the more usual representation of CTMCs 
with transition rates, see Chap. 7.3 of [9]. 


Definition 3. A CTMC is a tuple (S, Pr, ôo, (As)ses) with: 


- (S, Pr, ôo) is a probabilistic automata, and 

— for all s, As is the sojourn parameter associated with state s. That is, the 
PDF function of the sojourn time is X(t) = Ase™ò:* and the probability to 
stay in s at least t units of time is e~>**. 


In this continuous context, we need integrals instead of sums to define the 
i-th moment of a variable X: m;(X) = ie X(t)t’dt = 1. For every state s € S, 
let X,(t) = Ase7> t. For all i, for all s, p;(Xs) is well defined and p(X.) = # 
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We can easily extend the computation of moments for CTMCs. The induc- 
tive formulas for probabilities and moments of the reaching time distribution 
remain unchanged. We only need to change the definition of moments for 
every transition, which is input at the initialization phase of the Algorithm 1: 
for all s,t € S, we set wn(s,t) to be (w°(s,t),w'(s,t),...,w"(s,t)), where 
w(s,t) = Ð Pr(s,a,t) and w‘(s,t) = >> Pr(s,a,t)+ for all i € [1,n]. 

aes aex k 
Theorem 2. Let A = (S, Pr, ôo, (As)ses) be a CTMC. One can compute uils, t) 
for alli < n and s,t € S in time O(n? x |S]’). 


4 Uniqueness of Distribution, Parameters and Hierarchy 


In this section, we present cases where having a symbolic algorithm allows effi- 
cient techniques, compared to numerical methods. We start with hierarchical 
systems which are a way to compactly describe systems. Then, we present the 
possibility to work on systems with parameters. Finally, thanks to the symbolic 
expression of moments, we prove that there is a unique distribution having the 
moments of a distribution of reaching times of a (continuous-time) Markov chain. 


4.1 Hierarchical Probabilistic Automata 
We use notations mainly from [3] to describe hierarchical structures: 


Definition 4. A hierarchical probabilistic automaton (HPA) A over a finite 
alphabet X is a tuple of n modules (Si, Pri, Ai, 8° st )i<ien where for all i, 


are 


— S; is the finite set of states of module i, 
- s? € S; is the initial state of module i, and sf the finial state of module i, 
-= Pri: S;\ {sf} x X x Sı — [0,1] is a stochastic transition function such that 
for alls € Si \ {sf} (resp. s € Sı fori=1), XX; Pri(s,a,t)=1, 
aed te Si 
- ài: S > {i+1,...,n} is a partial mapping associating some states of S; 
from module i to deeper modules. 


Intuitively, the system starts in module 1, in state s?. Each time a state 
s € S; associated with a module j > i, that is \;(s) = j, is entered by a 


EOLO 


Sr “@) C D 


Fig. 2. An HPA with an exponential number of states. 
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Fig. 3. An HPA without redundancy 


transition t > s, the system goes to state s} and stays in S; till sf is seen, in 
which case it comes back to state s and takes a transition s — t (according 
to the probability distribution from s). This process can be repeated from any 
state in a module 7 to any module j as long as j > i. 

To define the semantics of (Si, Pri, Xi, 89, s! )i<i<n formally, we inductively 
replace states associated with the deepest module by their definition. Indeed, 
nodes from the deepest module are not associated with any module by defini- 
tion. Once every module has been replaced, a (flat) probabilistic automaton is 
obtained with the intended semantics. 

Hence, HPA have the same expressive power as probabilistic automata. Yet, 
they may be much more compact: we denote by |A| the size of the description of 
the hierarchical automaton and by || A|| the size of the unfolded automaton. The 
interest of such a description is that it may be exponentially smaller than the size 
of the unfolded automaton, as depicted in Fig. 2: here, every module contains 
two copies of the next module, with the exception of the last one. While the 
number of states in the description is linear (4n), the number of states in the 
unfolded automaton is equal to 3-2” — 2. 

The symbolic Algorithm 1 is naturally modular, in that computations on 
a module used several times can be performed only once by considering states 
of the deepest module first. Indeed, one module can be summarized by three 
information items: the probability (and moments) to answer the query in this 
module, the probability (and moments) to leave this module without answer- 
ing the query in the module and the probability to stay forever in this module 
without answering the query. Then the information can be used for shallower 
modules: every time a state s in a module 7 is associated with the deepest mod- 
ule, it can be replaced by this small set of states containing all the relevant 
information about the deepest module (and computed only once). Then, this 
process can be repeated to eliminate modules recursively. This leads to a com- 
plexity in the small size |A| of the compact HPA representation rather than in 
the large size ||A|| of the unfolded PA: 


Theorem 3. Let A be an HPA with k modules of size at most m. The n 
first moments of the distribution associated with A can be computed in time 
O(n?km?). 


Not only does Theorem 3 reduces the complexity for hierarchical represen- 
tations with redundancy (O(n?k) for the example in Fig. 2 instead of O(n?2%*) 
when running the algorithm in [13] on the equivalent flat PA), it also gives a 
better complexity on structure without redundancy. Consider the example in 
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Fig. 3, without redundancy, with an unfolded PA with 3k +1 states. Theorem 3 
takes time O(n?k3°), while the algorithm in [13] on the equivalent flat PA would 
take time O(n?(3k)3). 


4.2 Parametric Systems 


Another case where having a symbolic algorithm is helpful is when the system 
has parameters standing for probability values (see for instance Fig. 4, where p 
is such a parameter). We illustrate two cases here. 

The first case is when parameters help with redundancy. Often, stochastic 
systems reuse the same constructions, but with different probability values. This 
would be naturally encoded as a module M of a hierarchical system using a set 
of parameters P. This module M would be used several times, with different 
values of parameters specified in each module using it. 

In this case, one can run Algorithm 1 on M, using the parameter values 
literally in the equations. This yields rational functions fn : [0,1]? — (0, 1] of 
the parameters expressing the moments of order n for module M, for all n. For 
instance with the example of Fig. 4, the probability to reach state 4 from state 1 


: 2p+4 : : 112+44p—12p? 
is equal to ===, and the mean time is equal to (p+4)(2p+4) 


Spi . Each time module 
M is used, f» can be evaluated using the value of the parameters P for this 
particular usage. 

Another possible use of parameters is to model uncertainty of values. In the 
example of Fig.4, we may not know exactly the value of parameter p, but only 
know that it is above 0.8. In this case, one may be interested of synthesizing 
the largest (resp. smallest) moment of order n which is smaller (resp. larger) 
than the moment of any system realizing the parametric system, that is where 
p is replaced by any value above 0.8. This will be particularly interesting in the 
next section discussing bounds. To do so, one can use the rational function fn 
to compute its minimal and maximal values (e.g. deriving it and looking for 0 
with Euler’s method). In this way, we also obtain the best/worst value for p. 


Fig. 4. Example of a parametric system with set of parameters {p} 
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4.3 Uniqueness of the Distribution 


Last, we use the symbolic expression of moments obtained in Sect. 3 in order to 
prove the uniqueness of the distribution having moments of first passage times 
of (continuous-time) Markov chains. Thus this distribution is the distribution of 
response times of the system considered. 

Notice that in general, there may be several distributions that correspond to a 
given sequence of moments (fin )nen. This would compromise approximating the 
distribution using moments, as there would not be a unique such distribution. 


Example 3. Let us consider a distribution 6 on Rt. If 6 has the sequence of 
moments {un = N! | n € N}, then ô is the exponential distribution with parameter 
1. Similarly, the sequence of moments {un = (2n)! | n € N} for a distribution on 
R* is characteristic of the square of the exponential distribution of parameter 1. 

Now, consider the cube of the exponential distribution of parameter 1. Its 
sequence of moments is {un = (3n!) | n € N}. However, there exist an infinite 
number of distributions with this sequence of moments [18]. 


We now prove answer positively to the Stieljes moment problem for the 
case of the distribution of response time in a (continuous-time) Markov chain, 
that is its sequence of moments respects the Carleman’s condition from year 
1922, that guarantees the uniqueness of the distribution. The condition is that 


Donen in (5)~ 30 = 00. 


Theorem 4. Let A be a probabilistic automaton or a CTMC. For all n € N, let 
Ln be the moment of order n of the times of first passage in a set of state R of 
A. Then there exists a unique distribution ô such that un(ô) = un for alln EN. 


Sketch of Proof: We first consider CTMC where all states have the same 
sojourn time À. Then, a path that uses 7 transitions to answer a query will follow 
the gamma distribution with parameters (i, A). We have a symbolic expression 
for moments of this distribution thanks to Sect. 3. This can be used to minimize 
Eo Un(ô) T7 by a diverging sum. 

For general CTMCs, we use the fact that E(I'(i,A1)") < E((B#(\1) +--+ 
E(A:))”) iff Ar = min(A;)5_1. It allows us to minimize the Carleman’s sum of 
the CTMC considered by the Carleman’s sum of the CTMC where all sojourn 
times are replaced by the smallest sojourn time A, hence the divergence. 

The case of probabilistic automaton is simpler. 


We show how this theorem allows to approximate distribution 6 in the next 
subsection. 


4.4 A Sequence of Distributions Converging Towards 6 


Since we have unicity of the distribution corresponding to the sequence of 
moments of the distribution of response time of a probabilistic automaton, we 
obtain the following convergence in law: 
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Proposition 5 ({17]). Let 6 be the distribution of response times of a probabilis- 
tic automaton. Let (6;)ien be a sequence of distributions on R® such that for all 
n, lim un(ôi) = Un(d). Then, if Ci is the cumulative distribution function of 6; 


and C the cumulative distribution function of ô, then for alla lim C;(x) = C(x). 


Thus, C can be approximated by taking a sequence (ôn)nen of distribution 
such that for all i < n, pilôn) = pi(d). A reasonable choice for ôn is to consider 
the distribution of maximal entropy corresponding to the moments [11,..., Hn, 
as presented in [11]. The distribution of maximal entropy can be understood 
as the distribution that assume the least information. It can be approximated 
as close as desired, for instance 4 close to the distribution of maximal entropy 
having moments ({11(0),..., fn (d)). Applying Proposition 5, we thus obtain that 
the cumulative distribution function associated with 6; converges towards the 
cumulative distribution function associated with 6. 


5 Bounding the Response Time 


We now explain how to use moments in order to obtain optimal bounds on 
the response time. First, notice that as soon as there exists a loop between a 
query and a response (as in Fig.1), then there will be runs with arbitrarily 
long response times, although there might be probability 1 to eventually answer 
every query (which is the case for Fig. 1). We thus turn to a more quantitative 
evaluation of the response time. 

Let 0 < p< 1. We are interested in a bound T on the delay between a query 
and a response such that more than 1 — p of the queries are answered before this 
bound. For a distribution ô : Rt — R*+ of response times, we denote by B(ô, p) 
the lowest T such that the probability to have a response time above T is lower 
than p. Equivalently, we look for the highest T such that the probability of a 
response time above T is at least p. 

We place ourselves in the general setting of continuous distributions, where 
Dirac delta functions are allowed for simplicity. Discrete distributions form a spe- 
cial case, with delta functions at integer values. One could get rid of Dirac delta 
functions by «-approximating them without changing the moments, obtaining 
the same bounds as we prove here. 


5.1 Tchebychev Bounds Associated with One Moment 


Let i € N and u; > 0. We let A; „; be the set of distributions of response time 
which have u; as moment of order i. We are interested in bounding B(ô, p) for 
all ô € Ai; m, that is for all distributions with u; as moment of order i. Such a 
bound is provided by Tchebychev inequality, and it is optimal: 


Proposition 6. Let i € N and ui. Let ail mi, p) = ¥/ a Then for all 6 € Aj y,, 
we have B(ô, p) < aili, p). Further, 4d € Ai u; such that B(d,p) = a;( pi, p). 
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Proof. It suffices to remark that u; > pb’ for b the bound we want to reach. 
Further, this bound is trivially optimal: it suffices to consider a distribution 
with a Dirac of mass (1 — p) at 0 and a Dirac of mass p at a;({4;,p). 


Given a probabilistic automaton, let 6 be its associated distribution of 
response time. We can compute its associated moments u; using Algorithm 1, 
described in the previous section. We thus know that ô € A; p,- Given different 
values of i, one can compute the different moments and apply for each of the 
Tchebychev bound and use the minimal bound obtained. 

Understanding the relationship between the a; is thus important. For 7 < J, 
one can use Jensen’s inequality for the convex function f : £ > x7 over R*, and 
obtain: (ui) < (u;)*. For instance, u? < uo. 

For p = 1, this gives a;(p = 1) < aj(p = 1). On the other hand, for p 
sufficiently close to 0, we have a;(p) < aj;(p). That is, when p is very small, 
moments of high orders will give better bounds than moments of lower order. 
On the other hand, if p is not that small, moments of small order will suffice. 


5.2 Optimal Bounds for a Pair of Moments 


We now explain how to extend Tchebychev bounds to pairs of moments: We 
consider the set of distributions where two moments are fixed. Let i < j be two 
orders of moments and pui, uj > 0. We denote by A the set of distributions 
i ! 
Ai, u; and in Aj u; min(a;(p),a;(p)) is a bound for any 6 € Ay. However, it 
may be the case that min(a;(p),a;(p)) is not optimal. We now provide optimal 
bounds a! (p) for any pair i < j of order of moments and probability p: 


with i, uj as moments of order i, j respectively. As A;”,’ is strictly included into 


Theorem 5. Let i < j be natural integers, p € (0,1), and let mi, pj > 0. Let 


ai = (Ht)? and a; = (42)3. We define af (p) to be: 
— Qi if Qi < Qj, 

si NE 
= (ao): otherwise, where 0 < M < u; is the smallest positive real root of: 


a 


mi =(1- p) 7 Mi + pF (uj —M)3. 


For all 6 € Aa we have B(5,p) < af, and 35 € At with B(ô, p) = a! 


To obtain a value for M, one can use for instance Newton’s method. For 
i = 1, j = 2, we can compute explicitly M and obtain: 


at = 114 2o Lt). 


P 


Example 4. Consider the distribution associated with the system of Fig. 1. 
We obtain the following bounds a;(p),a/—'(p) considering different values of 
p and 2: 
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i | ui ai(0.1) | aft (0.1) | œ:(0.01) a71 (0.01) 
1 10 | 100 100 1000 1000 

2 190 | 43.6 38.5 137.8 104.9 

3 5410| 37.8 | 36.8 81.5 73.9 

4 205390 | 37.9 | 37.8 67.4 63.8 

5| 9747010) 39.6 | 37.9 64.2 61.43 

6 | 555066190 | 42.1 | 39.6 62.8 61.47 


For p = 0.1, it is not useful to consider moments of order higher than 3. 
For p = 0.01, moment of order 5 provides better bounds than moment of lower 
orders. 


For hierarchical systems, one can compute moments in an efficient way using 
Theorem 3, and then use Theorem 5 to obtain the associated optimal bounds. 
In order to handle parametric systems, we use the following result which allows 
to underapproximate the value of M, and thus overapproximate the optimal 
bound, by iterating the following operator f from x = 0: 


Lemma 1. (f"(0))nen is strictly increasing and converges towards M. 


We show how to «approximate the optimal bound B of a parametric proba- 
bilistic automaton A with set of parameters P, that is such that for all val € VP, 
the probabilistic automaton A with valuation val for parameter values has a 
bound b(val) < B and there exists a val € V? such that b(val) = B. First, 
we obtain the moments as symbolic functions of the parameters using Sect. 4.2. 
Then, we compute M, = f(0) as a function of the parameters, using Lemma 1 
and replacing 4i, uj by their expression. One can then compute the minimum 
mı of function Mı over all the parameters. We then proceed with Mz = f(m1), 
and so on till obtaining a value m. This allows to obtain a lower bound m over 
values of M for all parameter values. Computing the largest uj over all parame- 


ters allows to obtain an upper bound By»: B < Bup = (© ay 5 A lower bound 
Biw is easily obtained by considering the value > m of M for the parameters 
maximizing uj. If the distance between B,, and Bj, is larger than €, one can 
partition the space of parameter values in zones and proceed in the same way on 
each zone, forgetting zones for which Bup is lower than the Biw of another zone, 
till the distance between max(Bj,,) and max(B,,) over zones is smaller than e€. 


6 Conclusion 


In this paper, we have shown how to compute moments symbolically for proba- 
bilistic automata and CTMCs, using adequately defined semirings. This method 
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has the same complexity as the efficient numerical methods already known [13]. 
The proof of this symbolic computation allows proving that there is a unique 
distribution of response time corresponding to a probabilistic automaton or a 
CTMC. This allows obtaining simple approximated distributions scheme con- 
verging in law towards the distribution of response time. The symbolic com- 
putation of moments also allows computing moments in compact (hierarchical) 
models faster, as well as finding lowest /highest value of moments in parametric 
systems. 

We also provide optimal bounds on the delay after which very few queries stay 
unanswered. It is optimal when considering distribution displaying a given pair 
of moments, and we showed on a simple example how this improves Tchebychev 
bounds. This can be used efficiently to obtain bounds for compact (hierarchical) 
models or to compute an optimal bound which fulfills the response of almost all 
queries even for systems where some parameter values are not known exactly. 
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Abstract. The notion of comparison between system runs is fundamen- 
tal in formal verification. This concept is implicitly present in the verifi- 
cation of qualitative systems, and is more pronounced in the verification 
of quantitative systems. In this work, we identify a novel mode of com- 
parison in quantitative systems: the online comparison of the aggregate 
values of two sequences of quantitative weights. This notion is embodied 
by comparator automata (comparators, in short), a new class of automata 
that read two infinite sequences of weights synchronously and relate their 
aggregate values. 

We show that comparators that are finite-state and accept by the 
Biichi condition lead to generic algorithms for a number of well-studied 
problems, including the quantitative inclusion and winning strategies in 
quantitative graph games with incomplete information, as well as related 
non-decision problems, such as obtaining a finite representation of all 
counterexamples in the quantitative inclusion problem. 

We study comparators for two aggregate functions: discounted-sum 
and limit-average. We prove that the discounted-sum comparator is w- 
regular for all integral discount factors. Not every aggregate function, 
however, has an w-regular comparator. Specifically, we show that the 
language of sequence-pairs for which limit-average aggregates exist is 
neither w-regular nor w-context-free. Given this result, we introduce the 
notion of prefiz-average as a relaxation of limit-average aggregation, and 
show that it admits w-context-free comparators. 


1 Introduction 


Many classic questions in formal methods can be seen as involving comparisons 
between different system runs or inputs. Consider the problem of verifying if a 
system S satisfies a linear-time temporal property P. Traditionally, this problem 
is phrased language-theoretically: S and P are interpreted as sets of (infinite) 
words, and § is determined to satisfy P if S C P. The problem, however, can 
also be framed in terms of a comparison between words in S and P. Suppose 
a word w is assigned a weight of 1 if it belongs to the language of the system 
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or property, and 0 otherwise. Then determining if S C P amounts to checking 
whether the weight of every word in S is less than or equal to its weight in P [5]. 

The need for such a formulation is clearer in quantitative systems, in which 
every run of a word is associated with a sequence of (rational-valued) weights. 
The weight of a run is given by aggregate function f : Q®° — R, which returns the 
real-valued aggregate value of the run’s weight sequence. The weight of a word 
is given by the supremum or infimum of the weight of all its runs. Common 
examples of aggregate functions include discounted-sum and limit-average. 

In a well-studied class of problems involving quantitative systems, the objec- 
tive is to check if the aggregate value of words of a system exceed a constant 
threshold value [14-16]. This is a natural generalization of emptiness problems 
in qualitative systems. Known solutions to the problem involve arithmetic rea- 
soning via linear programming and graph algorithms such as negative-weight 
cycle detection, computation of maximum weight of cycles etc. [4,18]. 

A more general notion of comparison relates aggregate values of two weight 
sequences. Such a notion arises in the quantitative inclusion problem for weighted 
automata [1], where the goal is to determine whether the weight of words in one 
weighted automaton is less than that in another. Here it is necessary to compare 
the aggregate value along runs between the two automata. Approaches based 
on arithmetic reasoning do not, however, generalize to solving such problems. 
In fact, the known solution to discounted-sum inclusion with integer discount- 
factor combines linear programming with a specialized subset-construction-based 
determinization step, rendering an EXPTIME algorithm [4,6]. Yet, this approach 
does not match the PSPACE lower bound for discounted-sum inclusion. 

In this paper, we present an automata-theoretic formulation of this form of 
comparison between weighted sequences. Specifically, we introduce comparator 
automata (comparators, in short), a class of automata that read pairs of infinite 
weight sequences synchronously, and compare their aggregate values in an online 
manner. While comparisons between weight sequences happen implicitly in prior 
approaches to quantitative systems, comparator automata make these compar- 
isons explicit. We show that this has many benefits, including generic algorithms 
for a large class of quantitative reasoning problems, as well as a direct solution 
to the problem of discounted-sum inclusion that also closes its complexity gap. 

A comparator for aggregate function f is an automaton that accepts a pair 
(A, B) of sequences of bounded rational numbers iff f(A) R f(B), where R is an 
inequality relation (>, <, >, <) or the equality relation. A comparator could be 
finite-state or (pushdown) infinite-state. This paper studies such comparators. 

A comparator is w-regular if it is finite-state and accepts by the Biichi con- 
dition. We show that w-regular comparators lead to generic algorithms for a 
number of well-studied problems including the quantitative inclusion problem, 
and in showing existence of winning strategies in incomplete-information quanti- 
tative games. Our algorithm yields PSPACE-completeness of quantitative inclu- 
sion when the w-regular comparator is provided. The same algorithm extends to 
obtaining finite-state representations of counterexample words in inclusion. 
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Next, we show that the discounted-sum aggregation function admits an w- 
regular comparator when the discount-factor d > 1 is an integer. Using proper- 
ties of w-regular comparators, we conclude that the discounted-sum inclusion is 
PSPACE-complete, hence resolving the complexity gap. Furthermore, we prove 
that the discounted-sum comparator for 1 < d < 2 cannot be w-regular. We 
suspect this result extends to non-integer discount-factors as well. 

Finally, we investigate the limit-average comparator. Since limit-average is 
only defined for sequences in which the average of prefixes converge, limit-average 
comparison is not well-defined. We show that even a Biichi pushdown automaton 
cannot separate sequences for which limit-average exists from those for which 
it does not. Hence, we introduce the novel notion of prefix-average comparison 
as a relaxation of limit-average comparison. We show that the prefix-average 
comparator admits a comparator that is w-context-free, i.e., given by a Biichi 
pushdown automaton, and we discuss the utility of this characterization. 

This paper is organized as follows: Preliminaries are given in Sect. 2. Com- 
parator automata is formally defined in Sect. 3. Generic algorithms for w-regular 
comparators are discussed in Sects. 3.1 and 3.2. The construction and properties 
of discounted-sum comparator, and limit-average and prefix-average comparator 
are given in Sects. 4 and 5, respectively. We conclude with future directions in 
Sect. 6. 


Related Work. The notion of comparison has been widely studied in quanti- 
tative settings. Here we mention only a few of them. Such aggregate-function 
based notions appear in weighted automata [1,17], quantitative games including 
mean-payoff and energy games [16], discounted-payoff games [3,4], in systems 
regulating cost, memory consumption, power consumption, verification of quan- 
titative temporal properties [14,15], and others. Common solution approaches 
include graph algorithms such as weight of cycles or presence of cycle [18], linear- 
programming-based approaches, fixed-point-based approaches [8], and the like. 
The choice of approach for a problem typically depends on the underlying aggre- 
gate function. In contrast, in this work we present an automata-theoretic app- 
roach that unifies solution approaches to problems on different aggregate func- 
tions. We identify a class of aggregate functions, ones that have an w-regular 
comparator, and present generic algorithms for some of these problems. 

While work on finite-representations of counterexamples and witnesses in the 
qualitative setting is known [5], we are not aware of such work in the quanti- 
tative verification domain. This work can be interpreted as automata-theoretic 
arithmetic, which has been explored in regular real analysis [12]. 


2 Preliminaries 


Definition 1 (Biichi automata [21]). A (finite-state) Biichi automaton is a 
tuple A = (S, X, ô, Init, F), where S is a finite set of states, X is a finite input 
alphabet, 6 C (S x Xx S) is the transition relation, Init C S is the set of initial 
states, and F C S is the set of accepting states. 
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A Biichi automaton is deterministic if for all states s and inputs a, |{s’|(s,a,s’) € 
ô for some s'}| < 1 and |Jnit| = 1. Otherwise, it is nondeterministic. For a word 
w = wgw: E ©”, a run p of w is a sequence of states sos1... S.t. So € Init, 
and T; = (si, Wi, 8:41) € 6 for all i. Let inf (p) denote the set of states that occur 
infinitely often in run p. A run p is an accepting run if inf(p) 0 F 4 0. A word 
w is an accepting word if it has an accepting run. Biichi automata are known 
to be closed under set-theoretic union, intersection, and complementation [21]. 
Languages accepted by these automata are called w-regular languages. 


Definition 2 (Weighted w-automaton [10,20]). A weighted w-automaton 
over infinite words is a tuple A = (M,7), where M = (S, X,ô, Init, S) is a 
Biichi automaton, and y: 6 — Q is a weight function. 


Words and runs in weighted w-automata are defined as they are in Biichi 
automata. Note that all states are accepting states in this definition. The weight 
sequence of run p = S08, ... of word w = wow)... is given by wtp = nonno... 
where n;i = (Si, Wi, Si+1) for all i. The weight of a run p is given by f(wt,), 
where f : Q” — R is an aggregate function. We use f(p) to denote f(wt,). 

Here the weight of a word w E€ X* in weighted w-automata is defined as 
wta(w) = sup{f(p)|p is a run of w in A}. It can also be defined as the infimum 
of the weight of all its runs. By convention, if word w ¢ A, wta(w) = 0 [10]. 


Definition 3 (Quantitative inclusion). Given two weighted w-automata P 
and Q with aggregate function f, the quantitative-inclusion problem, denoted by 
P C; Q, asks whether for all words w € X”, wtp(w) < wta(w). 


Quantitative inclusion is PSPACE-complete for limsup and liminf [10], and unde- 
cidable for limit-average [16]. For discounted-sum with integer discount-factor it 
is in EXPTIME [6, 10], and decidability is unknown for rational discount-factors 


Definition 4 (Incomplete-information quantitative games). An 
incomplete-information quantitative game is a tuple G = (S,sz,O,5,0,7, F), 
where S, O, X are sets of states, observations, and actions, respectively, sz € S 
is the initial state, ô C S x X x S is the transition relation, y : S — N x N is 
the weight function, and f : NY — R is the aggregate function. 


The transition relation ô is complete, i.e., for all states p and actions a, there 
exists a state q s.t. (p,a,q) E€ 6. A play p is a sequence soaps1a1..., where 
Ti = (Si, Qi, Si+1) E€ 6. The observation of state s is denoted by O(s) € O. The 
observed play op of p is the sequence ooaoo1aa1 ..., where o; = O(s;). Player Po 
has incomplete information about the game G; it only perceives the observation 
play op. Player P, receives full information and witnesses play p. Plays begin in 
the initial state so = sz. For i > 0, Player Po selects action a;. Next, player Pı 
selects the state $;41, such that (si, ai, 5:41) € 6. The weight of state s is the pair 
of payoffs y(s) = (y(s)o, y(s)1). The weight sequence wt; of player P; along p is 
given by 7(so)i7(S1)i---, and its payoff from p is given by f(wt;) for aggregate 
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function f, denoted by f(;), for simplicity. A play on which a player receives a 
greater payoff is said to be a winning play for the player. A strategy for player 
Po is given by a function a : O* — X since it only sees observations. Player 
Po follows strategy a if for all i, a; = a(op...0;). A strategy a is said to be a 
winning strategy for player Pp if all plays following a are winning plays for Pp. 


Definition 5 (Biichi pushdown automata [13]). A Biichi pushdown 
automaton (Biichi PDA) is a tuple A = (S, X, T, ô, Init, Zo, F), where S, X, I, 
and F are finite sets of states, input alphabet, pushdown alphabet and accept- 
ing states, respectively. 6 C (Sx x (LUf{e}) x Sx I) is the transition relation, 
Init C S is a set of initial states, Zo € I’ is the start symbol. 


A run p on a word w = wow,:-: € X“ of a Biichi PDA A is a sequence of 
configurations (so, Yo), ($1,771)... satisfying (1) so € Init, yo = Zo, and (2) 
(Si, Yi, Wi, Si+1, Yi+1) E ô for all i. Biichi PDA consists of a stack, elements of 
which are the tokens I’, and initial element Zo. Transitions push or pop token(s) 
to/from the top of the stack. Let inf(p) be the set of states that occur infinitely 
often in state sequence sos;... of run p. A run p is an accepting run in Biichi 
PDA if inf(p)AF 4 0. A word w is an accepting word if it has an accepting run. 
Languages accepted by Biichi PDA are called w-context-free languages (w-CFL). 

We introduce some notation. For an infinite sequence A = (ao,a1,...), Alt] 
denotes its i-th element. Abusing notation, we write w € A and p € A if w and 
p are an accepting word and an accepting run of A respectively. 

For missing proofs and constructions, refer to the supplementary material. 


3 Comparator Automata 


Comparator automata (often abbreviated as comparators) are a class of automata 
that can read pairs of weight sequences synchronously and establish an equality 
or inequality relationship between these sequences. Formally, we define: 


Definition 6 (Comparator automata). Let X be a finite set of rational num- 
bers, and f : Q” — R denote an aggregate function. A comparator automaton 
for aggregate function f is an automaton over the alphabet X x X that accepts 
a pair (A,B) of (infinite) weight sequences iff f(A) R f(B), where R is an 
inequality or the equality relation. 


From now on, unless mentioned otherwise, we assume that all weight sequences 
are bounded, natural number sequences. The boundedness assumption is justified 
since the set of weights forming the alphabet of a comparator is bounded. For all 
aggregate functions considered in this paper, the result of comparison of weight 
sequences is preserved by a uniform linear transformation that converts rational- 
valued weights into natural numbers; justifying the natural number assumption. 
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We explain compara- 
tors through an exam- 
ple. The limit supremum 
(limsup, in short) of a 
bounded, integer sequence 
A, denoted by LimSup(A), 
is the largest integer that 
appears infinitely often in 
A. The limsup comparator 
is a Biichi automaton that 
accepts the pair (A, B) of sequences iff LimSup(A) > LimSup(B). 

The working of the limsup comparator is based on non-deterministically 
guessing the limsup of sequences A and B, and then verifying that LimSup(A) > 
LimSup(B). Biichi automaton A; (Fig. 1) illustrates the basic building block of 
the limsup comparator. Automaton A, accepts pair (A, B) of number sequences 
iff LimSup(A) = k, and LimSup(B) < k, for integer k. To see why this is true, first 
note that all incoming edges to accepting state f, occur on alphabet (k,< k) 
while all transitions between states fk and sk occur on alphabet (< k,< k), 
where < k denotes the set {0,1,...k}. So, the integer k must appear infinitely 
often in A and all elements occurring infinitely often in A and B are less than or 
equal to k. Together these ensure that LimSup(A) = k, and LimSup(B) < k. The 
union of such automata A, for k € {0,1,... u} for upper bound yp, results in the 
limsup comparator. The limit infimum (liminf, in short) of an integer sequence is 
the smallest integer that appears infinitely often in it; its comparator is similar. 

When the comparator for an aggregate function is a Büchi automaton, we 
call it an w-regular comparator. Likewise, when the comparator for an aggregate 
function is a Büchi pushdown automaton, we call it an w-context-free comparator. 
As seen here, the limsup and liminf comparators are w-regular. Later, we see that 
discounted-sum comparator and prefix-average comparator are w-regular and w- 
context-free respectively (Sects. 4 and 5). We call an aggregate function w-regular 
when it has an w-regular comparator for at least one inequality relation. Due to 
closure properties of Btchi automata, comparators for all inequality and equality 
relations of an w-regular aggregate function are also w-regular. 


Fig. 1. State fx is an accepting state. Automaton Ak 
accepts (A, B) iff LimSup(A) = k, LimSup(B) < k. * 
denotes {0,1... u}, < m denotes {0,1...,m} 


Fig. 2. Weighted automaton P Fig. 3. Weighted automaton Q 


Motivating Example. Let weighted w-automata P and Q be as illustrated in 
Figs. 2 and 3. The word w = a(ab)” has two runs p? = q1(q2)”, ps = qı (q3)” 
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Algorithm 1. InclusionReg(P, Q, Aş), Is P Cr Q? 


1: Input: Weighted automata P, Q, and w-regular comparator Aş (Inequality <) 
2: Output: True if P Cy Q, False otherwise 

3: Ê — AugmentWtAndLabel(P) 

4: Ô — AugmentWtAndLabel(Q) 

5: PxQe MakeProduct(P, Q) 

6: DimProof — Intersect(P x Q, Ay) 

7: Dim <— FirstProject(DimProof ) 

8: return P= Dim 


in P, and four runs py = q1(q2)”, p¥ = q (a3)”, pS = aala)” o? = aala)” 
in Q. Their weight-sequences are wt? = 3,(0,1)”, wt = 2,(2,0)” in P, and 
wt? = (2,1), wt? = (0,2)”, wt? = 1,2, (2, 1)”, wt? = 1,0, (0, 2)” in Q. 

To determine if w has greater weight in P or in Q, compare aggregate value 
of weight-sequences of runs in P and Q. Take the comparator for aggregate 
function f that accepts a pair (A, B) of weight-sequence iff f(A) < f(B). For 
wt p(w) < wtg(w), for every run p? in P, there exists a run pe in Qs.t. (p?, pe) 
is accepted by the comparator. This forms the basis for quantitative inclusion. 


3.1 Quantitative Inclusion 


InclusionReg (Algorithm 1) is an algorithm for quantitative inclusion for w-regular 
aggregate functions. For weighted w-automata P, Q, and w-regular comparator 
Agp, InclusionReg returns True iff P Cy Q. We assume P C Q (qualitative inclu- 
sion) to avoid trivial corner cases. 


Key Ideas. P Cy Q holds if for every run pp in P on word w, there exists a 
run pg in Q on the same word w such that f(pp) < f(g). We refer to such 
runs of P by diminished run. Hence, P Cy Q iff all runs of P are diminished. 

InclusionReg constructs Büchi automaton Dim that consists of exactly the 
diminished runs of P. It returns True iff Dim contains all runs of P. To obtain 
Dim, it constructs Büchi automaton DimProof that accepts word (pp, pq) iff pp 
and pg are runs of the same word in P and Q respectively, and f(pp) < f(pq). 
The w-regular comparator for inequality < for function f ensures f(pp) < f (pq). 
The projection of DimProof on runs of P results in Dim. 


Algorithm Details. InclusionReg has three steps: (a). Uniqueld (Lines 3-4): 
Enables unique identification of runs in P and Q through labels. (b). Compare 
(Lines 5-7): Compares weight of runs in P with weight of runs in Q, and con- 
structs Dim. (c). DimEnsure (Line 8): Ensures if all runs of P are diminished. 


1. Uniqueld: AugmentWtAndLabel transforms weighted w-automaton A into 
Biichi automaton A by converting transition T = (s,a,t) with weight 7(r) in 
A to transition 7 = (s, (a, Y(T), l), t) in A, where l is a unique label assigned 
to transition 7. The word ô = (ao, no, lo)(a1;, 1,11) -- € A iff run p € A on 
word apa, ... with weight sequence non; .... Labels ensure bijection between 
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runs in A and words in A. Words of A have a single run in A. 
Hence, transformation of weighted w-automata P and Q to Büchi automata 
Ê and Ô enables disambiguation between runs of P and Q (Line 3-4). 

2. Compare: The output of this step is the Buchi automaton Dim, that contains 
the word p € P iff p is a diminished run in P (Lines 5-7). 
MakeProduct(P, Q) constructs Ê x Q s.t. word (pp, pq) € Ê x Q iff pp and 
po are runs of the same word in P and Q respectively (Line 5). Concretely, 
for transition TA = (sA, (a, na, la), ta) in automaton A, where A € {P, Â}, 
transition Tp X TQ = ((sp, sq), (a,np,lp, no, lo), (tp,ta)) is in Ê xQ. 
Intersect intersects the weight components of Ê x Q with comparator A+ 
(Line 6). The resulting automaton DimProof accepts word (pp, po) iff 
flee) < fpo), and pp and pg are runs on the same word in P and Q 
respectively. The projection of DimProof on the words of P returns Dim 
which contains the word pp iff pp is a diminished run in P (Line 7). 

3. DimEnsure: P Cy Q iff P= Dim (qualitative equivalence) since P consists of 
all runs of P and Dim consists of all diminished runs of P (Line 8). 


Lemma 1. Given weighted w-automata P and Q with an w-regular aggregate 
function f. InclusionReg(P,Q, Af) returns True iff P Cy Q. 


Further, InclusionReg is adapted for quantitative strict-inclusion P Cf Q i.e. for 
all words w, wtp(w) < wtg(w) by taking the w-regular comparator Ay that 
accepts (A, B) iff f(A) < f(B). Similarly for quantitative equivalence P =; Q. 


Complexity Analysis. All operations in InclusionReg until Line 7 are polytime 
operations in the size of weighted w-automata P, Q and comparator Ay. Hence, 
Dim is polynomial in size of P, Q and Af. Line 8 solves a PSPACE-complete 
problem. Therefore, the quantitative inclusion for w-regular aggregate function 
f is in PSPACE in size of the inputs P, Q, and Aș. 

The PSPACE-hardness of the quantitative inclusion is established via reduc- 
tion from the qualitative inclusion problem, which is PSPACE-complete. The 
formal reduction is as follows: Let P and Q be Biichi automata (with all states 
as accepting states). Reduce P, Q to weighted automata P, Q by assigning a 
weight of 1 to each transition. Since all runs in P, Q have the same weight 
sequence, weight of all words in P and Q is the same for any function f. It is 
easy to see P C Q (qualitative inclusion) iff P Cy Q (quantitative inclusion). 


Theorem 1. Let P and Q be weighted w-automata and Ay be an w-regular com- 
parator. The complexity of the quantitative inclusion problem, quantitative strict- 
inclusion problem, and quantitative equivalence problem for w-regular aggregate 


function f is PSPACE-complete. 


Theorem 1 extends to weighted w-automata when weight of words is the infimum 
of weight of runs. The key idea for P Cy Q here is to ensure that for every run 
pg in Q there exists a run on the same word in pp in P s.t. f(pp) < flpo). 


Representation of Counterexamples. When P Ép Q, there exists word(s) 
w E€ X* s.t wtp(w) > wtg(w). Such a word w is said to be a countererample 
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word. Previously, finite-state representations of counterexamples have been use- 
ful in verification and synthesis in qualitative systems [5], and could be useful in 
quantitative settings as well. However, we are not aware of procedures for such 
representations in the quantitative settings. Here we show that a trivial extension 
of InclusionReg yields Biichi automata-representations for all counterexamples of 
the quantitative inclusion problem for w-regular functions. 

For word w to be a counterexample, it must contain a run in P that is not 
diminished. Clearly, all non-diminished runs of P are members of P\ Dim. The 
counterexamples words can be obtained from P \ Dim by modifying its alphabet 
to the alphabet of P by dropping transition weights and their unique labels. 


Theorem 2. All counterexamples of the quantitative inclusion problem for an 
w-regular aggregate function can be expressed by a Büchi automaton. 


3.2 Incomplete-Information Quantitative Games 


Given an incomplete-information quantitative game G = (S,sz, 0O, X,8, y, f), 
our objective is to determine if player Py) has a winning strategy a : O* — 
X for w-regular aggregate function f. We assume we are given the w-regular 
comparator Ay for function f. Note that a function A* — B can be treated like 
a B-labeled A-tree, and vice-versa. Hence, we proceed by finding a X-labeled 
O-tree — the winning strategy tree. Every branch of a winning strategy-tree is an 
observed play 0, of G for which every actual play p is a winning play for Po. 

We first consider all game trees of G by interpreting G as a tree-automaton 
over X-labeled S-trees. Nodes n € S* of the game-tree correspond to states 
in S and labeled by actions in X taken by player Po. Thus, the root node € 
corresponds to sz, and a node s;,,...,8;, corresponds to the state s;, reached 
via ST, Sio» ---» Sip_ı- Consider now a node x corresponding to state s and labeled 
by an action ø. Then z has children xs,,...28,,, for every s; € S. If s; € 6(s,0), 
then we call xs; a valid child, otherwise we call it an invalid child. Branches 
that contain invalid children correspond to invalid plays. 

A game-tree T is a winning tree for player Py if every branch of 7 is either a 
winning play for Pp or an invalid play of G. One can check, using an automata, 
if a play is invalid by the presence of invalid children. Furthermore, the winning 
condition for Pp can be expressed by the w-regular comparator Ay that accepts 
(A, B) iff f(A) > f(B). To use the comparator Ap, it is determinized to parity 
automaton Dy. Thus, a product of game G with Dy is a deterministic parity 
tree-automaton accepting precisely winning-trees for player Po. 

Winning trees for player Py are 3/-labeled S-trees. We need to convert them 
to X/-labeled O-trees. Recall that every state has a unique observation. We can 
simulate these X-labeled S-trees on strategy trees using the technique of thinning 
states S to observations O [19]. The resulting alternating parity tree automaton 
M will accept a X-labeled O-tree To iff for all actual game-tree 7 of To, T is a 
winning-tree for Pp with respect to the strategy To. The problem of existence of 
winning-strategy for Pp is then reduced to non-emptiness checking of M. 


Comparator Automata in Quantitative Verification 429 


Theorem 3. Given an incomplete-information quantitative game G and w- 
regular comparator Ay for the aggregate function f, the complexity of deter- 
mining whether Po has a winning strategy is exponential in |\G|-|D |, where 
|Dj] = JAAD. 


Since, Dy is the deterministic parity automaton equivalent to A;,|Dy| = 
|Ap|O0AsD. The thinning operation is linear in size of |G x Dy|, therefore 
|M| = |G|-|D;|. Non-emptiness checking of alternating parity tree automata 
is exponential. Therefore, our procedure is doubly exponential in size of the 
comparator and exponential in size of the game. The question of tighter bounds 
is open. 


4 Discounted-Sum Comparator 


The discounted-sum of an infinite sequence A with discount-factor d > 1, denoted 
by DS(A,d), is defined as 2°, Afi]/d’. The discounted-sum comparator (DS- 
comparator, in short) for discount-factor d, denoted by A, ,,.,,,, accepts a pair 
(A, B) of weight sequences iff DS(A,d) < DS(B,d). We investigate properties 
of the DS-comparator, and show that the DS-comparator is w-regular for all 
integral discount-factors d, and cannot be w-regular when 1 < d < 2. 


Theorem 4. DS-comparator for rational discount-factor 1 < d < 2 is not w- 
regular. 


For discounted-sum automaton A with discount factor d, the cut-point language 
of A w.r.t. r € R is defined as L?” = {w € L(A)|DS(w, d) > r}. It is known that 
the cut-point language L?! with discount-factor 1 < d < 2 is not w-regular [9]. 
One can show that if DS-comparator for discount-factor 1 < d < 2 were w- 
regular, then cut-point language LZ! is also w-regular; thus proving Theorem 4. 

We provide the construction of DS-comparator with integer discount-factor. 


Key Ideas. The core intuition is that sequences bounded by u can be converted 
to their value in base d via a finite-state transducer. Lexicographic comparison 
of the resulting sequences renders the desired result. Conversion of sequences 
to base d requires a certain amount of book-keeping by the transducer. Here we 
describe a direct method for book-keeping and lexicographic comparison. 

For natural-number sequence A and integer discount-factor d > 1, DS(A, d) 
can be interpreted as a value in base d i.e. DS(A,d) = A[0] + An + ap + 

- = (A[0].A[1]A[2]...)a [12]. Unlike comparison of numbers in base d, the 

lexicographically larger sequence may not be larger in value. This occurs because 
(i) The elements of weight sequences may be larger in value than base d, and 
(ii) Every value has multiple infinite-sequence representations. 

To overcome these challenges, we resort to arithmetic techniques in base 
d. Note that DS(B,d) > DS(A,d) iff there exists a sequence C such that 
DS(B,d) = DS(A,d) + DS(C,d), and DS(C,d) > 0. Therefore, to compare 
the discounted-sum of A and B, we obtain a sequence C. Arithmetic in base d 
also results in sequence X of carry elements. Then, we see: 
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Lemma 2. Let A, B,C,X be number sequences, d > 1 be a positive integer such 
that following equations holds true: 


1. Wheni=0, A[0] + C[0] + X[0] = BIO) 
2. When i>1, Ali] + Cli] + X[) = Bli +d- Xli — 1] 


Then DS(B,d) = DS(A,d) + DS(C, d). 


Hence, to determine DS (B, d) — DS(A, d), systematically guess sequences C and 
X using the equations, element-by-element beginning with the 0-th index and 
moving rightwards. There are two crucial observations here: (i) Computation of 
i-th element of C and X only depends on i-th and (i — 1)-th elements of A and 
B. Therefore guessing C[i] and X[i] requires finite memory only. (ii) C refers 
to a representation of value DS(B,d) — DS(A,d) in base d, and X is the carry- 
sequence. Hence if A and B are bounded-integer sequences, not only are X and 
C bounded sequences, they can be constructed from a fixed finite set of integers: 


Lemma 3. Let d > 1 be an integer discount-factor. Let A and B be nonnegative 
integer sequences bounded by u s.t. DS(A,d) < DS(B,d). Let C and X be as 
constructed in Lemma 2. There exists at least one pair of integer-sequences C 
and X that satisfy the following two equations 


1. For alli > 0, 0 < Cli] < u- gh. and 


2. For alli > 0, 0 < |X{i]| < T 


In Büchi automaton A, ps (i) states are represented by (x,c) where x and 
c range over all possible elements of X and C, which are finite, (ii) a special 
start state s, (iii) transitions from the start state (s, (a, b), (x,c)) satisfy a + c + 
x = b to replicate Eq. 1 (Lemma 2) at the 0-th index, (iv) all other transitions 
((21, €1), (a, b), (£2, C2)) satisfy a+co+a2 = b+d- x1 to replicate Eq. 2 (Lemma 2) 
at indexes i > 0, and (v) all (a,c) states are accepting. Lemma 2 ensures that 
A~psa accepts (A, B) iff DS(B,d) = DS(A, d) + DS(C, d). 

However, A, psa) is yet to guarantee DS(C,d) > 0. For this, we include 
non-accepting states (x, L), where x ranges over all possible (finite) elements of 
X. Transitions into and out of states (x, L) satisfy Eqs. 1 or 2 (depending on 
whether transition is from start state s) where L is treated as c = 0. Transition 
from (x, L)-states to (x, c)-states occurs only if c > 0. Hence, any valid execution 
of (A, B) will be an accepting run only if the execution witnesses a non-zero value 
of c. Since C is a sae sequence, this ensures DS(C, d) > 0. 


Construction. Let pc = u g% and wx = 14+ 74. Ay psa = (S, X, 6a, Init, F) 


— S = Init JF US, where 
Init = {s}, F = {(a,c)||z| < ux,0 < c < uc}, and 
Sı = {(x, L)||xz| < ux} where L is a special character, and c € N, x € Z. 
— X = {(a,b):0 < a,b < u} where a and b are integers. 
— ôa C S x X x S is defined as follows: 
1. Transitions from start state s: 
i (s, (a,b), (x,c)) for all (a,c) E€ F s.t. a+ xz +c= band c #0 
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ii (s, (a,b), (x, L)) for all (z, L) E€ S1 st.a+a=b 
2. Transitions within S1: ((x, L), (a,b), (#’,-L)) for all (x, L), (x', 1) € S1, 
ifa+a’=b4+d-2 
3. Transitions within F: ((x, c), (a,b), (x', c’)) for all (x, c), (a, c’) € F where 
d <difata’+¢d=b4+d-2 
4. Transition between Sı and F: ((x, L), (a,b), (2’,c’)) for all (a, L) € Sı, 
(a’,c’) € F where0<c <d,ifat+a’ +c =b+d-a4 


Theorem 5. The DS-comparator with maximum bound u, is w-regular for inte- 
2 
ger discount-factors d > 1. Size of the discounted-sum comparator is O(4;). 


DS-comparator with non-strict inequality < and equality = follow similarly. 
Consequently, properties of w-regular comparators hold for DS-comparator with 
integer discount-factor. Specifically, DS-inclusion is PSPACE-complete in size of 
the input weighted automata and DS-comparator. Since, size of DS-comparator 
is polynomial w.r.t. to upper bound yp (in unary), DS-inclusion is PSPACE in size 
of input weighted automata and u. Not only does this bound improve upon the 
previously known upper bound of EXPTIME but it also closes the gap between 
upper and lower bounds for DS-inclusion. 


Corollary 1. Given weighted automata P and Q, maximum weight on their 
transitions u in unary form and integer discount-factor d > 1, the DS-inclusion, 
D§-strict-inclusion, and DS-equivalence problems are PSPACE-complete. 


As mentioned earlier, the known upper bound for discounted-sum inclusion with 
integer discount-factor is exponential [6,10]. This bound is based on an expo- 
nential determinization construction (subset construction) combined with arith- 
metical reasoning. We observe that the determinization construction can be per- 
formed on-the-fly in PSPACE. To perform, however, the arithmetical reasoning 
on-the-fly in PSPACE would require essentially using the same bit-level ((x, c)- 
state) techniques that we have used to construct DS-comparator automata. 


5 Limit-Average Comparator 


The limit-average of an infinite sequence M is the point of convergence of the 
average of prefixes of M. Let Sum(M[0,n — 1]) denote the sum of the n-length 
prefix of sequence M. The limit-average infimum, denoted by LimlnfAvg( M), is 
defined as lim infy oo _Sum(M(0, n—1]). Similarly, es limit-average supremum, 
denoted by LimSupAvg(!/), is defined as lim sup,,_,,,+ - Sum(M[0,n — 1]). The 
limit-average of sequence M, denoted by LimAvg( M), is defined only if the limit- 
average infimum and limit-average supremum coincide, and then LimAvg(M) = 
LimInfAvg(/) (= LimSupAvg(M)). Note that while limit-average infimum and 
supremum exist for all bounded sequences, the limit-average may not. 

In existing work, limit-average is defined as the limit-average infimum (or 
limit-average supremum) to ensure that limit-average exists for all sequences 
(7,10,11,22]. While this definition is justified in context of the application, it 
may lead to a misleading comparison in some cases. For example, consider 
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sequence A s.t. LimSupAvg(A) = 2 and LimlnfAvg(A) = 0, and sequence 
B s.t. LimAvg(B) = 1. Clearly, limit-average of A does not exist. Suppose, 
LimAvg(A) = LimInfAvg(A) = 0, then LimAvg(A) < LimAvg(B), deluding that 
average of prefixes of A are always less than those of B in the limit. This is 
untrue since LimSupAvg(A) = 2. 

Such inaccuracies in limit-average comparison may occur when the limit- 
average of at least one sequence does not exist. However, it is not easy to distin- 
guish sequences for which limit-average exists from those for which it doesn’t. 

We define prefiz-average comparison as a relaxation of limit-average compar- 
ison. Prefix-average comparison coincides with limit-average comparison when 
limit-average exists for both sequences. Otherwise, it determines whether even- 
tually the average of prefixes of one sequence are greater than those of the other. 
This comparison does not require the limit-average to exist to return intuitive 
results. Further, we show that the prefiz-average comparator is w-context-free. 


5.1 Limit-Average Language and Comparison 


Let X = {0,1,...,} be a finite alphabet with u > 0. The limit-average language 
Lra contains the sequence (word) A € XY iff its limit-average exists. Suppose 
Lra were w-regular, then LLA = Ua Ui- V“, where U;, V; C X”* are regular 
languages over finite words. The limit-average of sequences is determined by its 
behavior in the limit, so limit-average of sequences in V;” exists. Additionally, 
the average of all (finite) words in V; must be the same. If this were not the 
case, then two words in V; with unequal averages lı and l2, can generate a word 
w € V® s.t the average of its prefixes oscillates between lı and l2. This cannot 
occur, since limit-average of w exists. Let the average of sequences in V; be aj, 
then limit-average of sequences in V” and U;-V,” is also a;. This is contradictory 
since there are sequences with limit-average different from the a; (see appendix). 
Similarly, since every w-CFL is represented by Uj_, Ui - V® for CFLs U;, V; over 
finite words [13], a similar argument proves that £14 is not w-context-free. 

Quantifiers 4° and Ifi denote the existence of infinitely many and only 
finitely many indices i, respectively. 


Theorem 6. Lza is neither an w-regular nor an w-contezt-free language. 


In the next section, we will define prefiz-average comparison as a relaxation 
of limit-average comparison. To show how prefix-average comparison relates to 
limit-average comparison, we will require the following two lemmas: 


Lemma 4. Let A and B be sequences s.t. their limit average exists. If 
4°74, Sum(A[0,2 — 1]) > Sum(B[0,i — 1]) then LimAvg(A) > LimAvg(B). 


Lemma 5. Let A, B be sequences s.t their limit-average exists. If LimAvg(A) > 
LimAvg(B) then Afi, Sum(B[0, i — 1]) > Sum(A[0, i — 1]) and 4°°i, Sum(A[0, i — 
1]) > Sum(B[0, i — 1). 
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5.2 Prefix-Average Comparison and Comparator 


The previous section relates limit-average comparison with the sums of equal 
length prefixes of the sequences (Lemmas 4 and 5). The comparison criteria is 
based on the number of times sum of prefix of one sequence is greater than 
the other, which does not rely on the existence of limit-average. Unfortunately, 
this criteria cannot be used for limit-average comparison since it is incomplete 
(Lemma 5). Specifically, for sequences A and B with equal limit-average it is 
possible that 3°i,Sum(A[0,n — 1]) > Sum(B/0,n — 1]) and 3°, Sum( BIO, n — 
1]) > Sum(A[0,n — 1]). Instead, we use this criteria to define prefiz-average 
comparison. In this section, we define prefix-average comparison and explain 
how it relaxes limit-average comparison. Lastly, we construct the prefix-average 
comparator, and prove that it is not w-regular but is w-context-free. 


Definition 7 (Prefix-average comparison). Let A and B be number 
sequences. We say PrefixAvg(A) > PrefixAvg(B) if 4/i,Sum(B[0,i — 1]) > 
Sum(A[0, i — 1]) and 3°, Sum(A[0, i — 1]) > Sum(B[0, i — 1)). 


Intuitively, prefix-average comparison states that PrefixAvg(A) > PrefixAvg(B) if 
eventually the sum of prefixes of A are always greater than those of B. We use > 
since the average of prefixes may be equal when the difference between the sum 
is small. It coincides with limit-average comparison when the limit-average exists 
for both sequences. Definition 7 and Lemmas 4, 5 relate limit-average comparison 
and prefix-average comparison: 


Corollary 2. When limit-average of A and B exists, then 


— PrefixAvg(A) > PrefixAvg(B) = > LimAvg(A) > LimAvg(B). 
— LimAvg(A) > LimAvg(B) ==> PrefixAvg(A) > PrefixAvg(B). 


Therefore, limit-average comparison and prefix-average comparison return the 
same result on sequences for which limit-average exists. In addition, prefix- 
average returns intuitive results when even when limit-average may not exist. 
For example, suppose limit-average of A and B do not exist, but LimInfAvg(A) > 
LimSupAvg(B), then PrefixAvg(A) > PrefixAvg(B). Therefore, prefix-average 
comparison relaxes limit-average comparison. 

The rest of this section describes prefiz-average comparator Ae ness an 
automaton that accepts the pair (A,B) of sequences iff PrefixAvg(A) > 
PrefixAvg(B). 


Lemma 6 (Pumping Lemma for w-regular language [2]). Let L be an w- 
regular language. There exists p E€ N such that, for each w = uywyugwe::: € L 
such that |w;| > p for alli, there are sequences of finite words (xi)ien, (Yi)ien; 
(zilien $-t., for alli, wi = xiyizi, |xiyi| < p and |y;| > 0 and for every sequence 
of pumping factors (ji)ien € N, the pumped word uyziy? z1U2r2y3’ 22°++ € L. 


Theorem 7. The prefiz-average comparator is not w-regular. 
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Proof (Proof Sketch). We use Lemma6 to prove that A;,,,... is not w-regular. 
Suppose A,,,.. were w-regular. For p > 0 € N, let w = (A,B) = 
((0, 1)?(1,0)??)”. The segment (0,1)* can be pumped s.t the resulting word 
is no longer in Ly, 4). 

Concretely, A = (0?17?)”, B = (1707?)”, LimAvg(A) = 3, LimAvg(B) = 3. 
So, w = (A,B) € Azpa Select as factor w; (from Lemma6) the sequence 
(0,1)?. Pump each y; enough times so that the resulting word is ù = (A, B) = 
((0, 1)"*(1,0)??)” where m; > 4p. It is easy to show that ù = (A, Ê) ¢ Lerig 


We discuss key ideas and sketch the construction of the prefix average compara- 
tor. The term prefix-sum difference at i indicates Sum(A[0, i— 1]) — Sum(B[0, i — 
1]), i.e. the difference between sum of i-length prefix of A and B. 


Key Ideas. For sequences A and B to satisfy PrefixAvg(A) > PrefixAvg(B), 
fi, Sum(B[0,i—1]) > Sum(A[0,i—1]) and 4%°i, Sum(A[0, i—1]) > Sum(B[0, i— 
1]). This occurs iff there exists an index N s.t. for all indices 1 > N, Sum(A[0, i— 
1]) — Sum(B[0, i — 1]) > 0. While reading a word, the prefix-sum difference is 
maintained by states and the stack of w-PDA: states maintain whether it is 
negative or positive, while number of tokens in the stack equals its absolute 
value. The automaton non-deterministically guesses the aforementioned index N, 
beyond which the automaton ensure that prefix-sum difference remains positive. 


Construction Sketch. The push-down comparator A>,„,4;) consists of three 
states: (i) State sp and (ii) State sy that indicate that the prefix-sum difference 
is greater than zero and or not respectively, (iii) accepting state sp. An execution 
of (A, B) begins in state sy with an empty stack. On reading letter (a,b), the 
stack pops or pushes |(a — b)| tokens from the stack depending on the current 
state of the execution. From state sp, the stack pushes tokens if (a — b) > 0, 
and pops otherwise. The opposite occurs in state sy. State transition between 
sn and sp occurs only if the stack action is to pop but the stack consists of 
k < |a — b| tokens. In this case, stack is emptied, state transition is performed 
and |a — b| — k tokens are pushed into the stack. For an execution of (A, B) to 
be an accepting run, the automaton non-deterministically transitions into state 
sp. State sp acts similar to state sp except that execution is terminated if there 
aren’t enough tokens to pop out of the stack. Ay, , į accepts by accepting state. 

To see why the construction is correct, it is sufficient to prove that at each 
index i, the number of tokens in the stack is equal to |Sum(A[0,2 — 1]) — 
Sum(B[0, i—1])|. Furthermore, in state sy, Sum(A[0, i—1])—Sum(B[0, i—1]) < 0, 
and in state sp and sr, Sum(A[0,i—1])—Sum(B[0,i—1]) > 0. Next, the index at 
which the automaton transitions to the accepting state sp coincides with index 
N. The execution is accepted if it has an infinite execution in state sr, which 
allows transitions only if Sum(A[0, i — 1]) — Sum(B[0,i — 1]) > 0. 


Theorem 8. The prefiz-average comparator is an w-CFL. 


While w-CFL can be easily expressed, they do not possess closure properties, 
and problems on w-CFL are easily undecidable. Hence, the application of w- 
context-free comparator will require further investigation. 
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6 Conclusion 


In this paper, we identified a novel mode for comparison in quantitative sys- 
tems: the online comparison of aggregate values of sequences of quantitative 
weights. This notion is embodied by comparators automata that read two 
infinite sequences of weights synchronously and relate their aggregate values. 
We showed that w-regular comparators not only yield generic algorithms for 
problems including quantitative inclusion and winning strategies in incomplete- 
information quantitative games, they also result in algorithmic advances. We 
show that the discounted-sum inclusion problem is PSAPCE-complete for integer 
discount-factor, hence closing a complexity gap. We also studied the discounted- 
sum and prefix-average comparator, which are w-regular and w-context-free, 
respectively. 

We believe comparators, especially w-regular comparators, can be of signif- 
icant utility in verification and synthesis of quantitative systems, as demon- 
strated by the existence of finite-representation of counterexamples of the quan- 
titative inclusion problem. Another potential application is computing equilibria 
in quantitative games. Applications of the prefix-average comparator, in general 
w-context-free comparators, is open to further investigation. Another direction 
to pursue is to study aggregate functions in more detail, and develop a clearer 
understanding of when aggregate functions are w-regular. 
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Abstract. In recent years, the key principles behind Separation Logic 
have been generalized to generate formalisms for a number of verification 
tasks in program analysis via the formulation of ‘non-standard’ mod- 
els utilizing notions of separation distinct from heap disjointness. These 
models can typically be characterized by a separation theory, a collection 
of first-order axioms in the signature of the model’s underlying ordered 
monoid. While all separation theories are interpreted by models that 
instantiate a common mathematical structure, many are undefinable in 
Separation Logic and determine different classes of valid formulae, lead- 
ing to incompleteness for existing proof systems. Generalizing systems 
utilized in the proof theory of bunched logics, we propose a framework of 
tableaux calculi that are generically extendable by rules that correspond 
to separation theories axiomatized by coherent formulas. This class cov- 
ers all separation theories in the literature—for both classical and intu- 
itionistic Separation Logic—as well as axioms for a number of related 
formalisms appropriate for reasoning about complex systems, security, 
and concurrency. Parametric soundness and completeness of the frame- 
work is proved by a novel representation of tableaux systems as coherent 
theories, suggesting a strategy for implementation and a tentative first 
step towards a new logical framework for non-classical logics. 


Keywords: Bunched logic - Coherent logic - Kripke semantics 
Proof theory - Separation logic - Separation theories 
Substructural logic - Tableaux 


1 Introduction 


Separation Logic [39], introduced by Ishtiaq and O’Hearn [32], Reynolds [44], 
Yang and O’Hearn [50], is a Hoare-style program logic suitable for reasoning 
about programs that mutate data structures. In its original formulation, the 
assertion language of Separation Logic is based on a model of O’Hearn and 
Pym’s logic of bunched implications [40] formulated by considering heaps as 
possible worlds with internal structure that allows their decomposition into sep- 
arate pieces of memory. This decomposition is witnessed in the logic by the 
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separating conjunction x, with @* w informally read as ‘the heap can be split 
into separate parts; one satisfying ġo and the other satisfying Ww’. 

Calcagno et al. [13] abstract the details of the heap model to a structure called 
a separation algebra, a partial-deterministic and cancellative monoid model of 
the Boolean logic of bunched implications (BBI), which can be used to generate 
bespoke separation logics suitable for program analysis tasks beyond that of the 
original formalism. Conflicting definitions of separation algebra have since been 
given by adding/removing first-order properties or strengthening /weakening the 
monoid properties [10,14,21,24]. These mutually exclusive definitions can be 
encompassed in a framework of separation theories [10], collections of first-order 
axioms (separation properties) common to separation logic models which the 
definition of (B)BI model can be extended by. All separation logics in the lit- 
erature can be seen to be models of separation theories, while the frameworks 
Views [21] and Iris [33] explicitly implement the idea of generating program 
logics parametrically by separation theory. 

Recent work has revealed an expressivity gap between the logic of bunched 
implications and common separation theories in the literature, however. Broth- 
erston and Villard [10], Larchey-Wendling and Galmiche [36] show that separa- 
tion properties like indivisibility of units and partial deterministic composition 
determine distinct sets of valid BBI formulae, leading to the incompleteness of 
standard proof systems with respect to typical classes of memory models. To 
make matters worse, Brotherston and Villard additionally show that many sep- 
aration properties (among them partial determinism) are undefinable in BBI, 
and thus cannot be axiomatized by the logic. These results also hold for BI, 
the intuitionistic logic of bunched implications. This is an increasingly relevant 
issue given the growing number of intuitionistic separation logics, most promi- 
nent amongst them Iris, a framework that utilizes a ‘later’ modality [37] that 
can only be nontrivially defined in intuitionistic systems. 

This expressivity gap is a significant problem for Separation Logic. A theorem 
prover for deriving assertions satisfied by the underlying model is a necessary 
component of any implementation of a separation logic, with the deployable 
proof theory of the standard formalism crucial for its scalability to large code 
bases [12,50]. Standard implementations are model-specific, however, and only 
suitable for the heap model. In order to account for the large numbers of bespoke 
separation logics, as well as Views/Iris-style frameworks, we require tools that 
support parametrization by separation theory. 


Technical Approach. The present work generalizes methods pioneered on 
tableaux systems for a range of logics including and related to BI and BBI 
[20, 22,28, 34] to specify modular tableaux calculi for the breadth of separation 
theories in the literature, proved sound and complete uniformly and parametri- 
cally in choice of separation theory. While previous systems implicitly implement 
a systematic method for constructing tableaux proof theory for bunched logics, 
subtle but significant changes must be made to additionally capture separation 
theories. Past systems can be formulated as particular instances of our frame- 
work, thus making the systematic method explicit. 
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First, we specify tableaux proof systems for BI and BBI, the propositional 
basis for Separation Logic. The key difference between our calculi and tableaux 
systems previously given in the literature is that we do not outsource any part 
of the derivation of proofs to an algebra of labels or auxilliary proof system 
for constraints. Instead, we utilize frame expansion rules that are of the same 
form as the standard logical expansion rules of the system. These rules capture 
the same structural properties (and more) but can also be added/removed in 
a modular fashion. Crucially, this ensures separation properties—for example, 
partial determinism—are not hard-coded into the basic systems via the structure 
of labels, and facilitates the parametricity of our completeness theorem. 

We extend these systems with a rule schema for separation properties that are 
axiomatized by coherent formulae; a subset of first-order formulae with a special 
syntactic form. This set contains every separation property that can be found 
in the literature and is expressive enough to include virtually any axiom that 
might be utilized in future. The strength of this statement can be justified by a 
folklore result recently reconstructed by Dyckhoff and Negri [25] that shows that 
every first-order axiom can be reconstructed as an equivalent system of coherent 
formulae. We thus obtain a modular framework of (B) BI + X-tableaux systems, 
where X is an arbitrary collection of coherent axioms. 

In order to prove soundness and completeness of the system, we utilize a novel 
representation of labelled tableaux systems as theories of coherent logic. The key 
insight here is that the translation of coherent formulae into tableaux rules is 
not one way: tableaux rules can naturally be seen as coherent formulae in a 
signature augmented with special predicate symbols. The parametric soundness 
and completeness of the framework can then be reduced to proving the soundness 
and completeness of Tarskian truth for coherent logic with respect to a meta- 
tableaux method, a problem positively resolved by Bezem and Coquand [4]. To 
our knowledge, the application of this technique to labelled tableaux is new, 
although, in the aforementioned work, Bezem and Coquand show how to encode 
the tableaux method for first-order classical logic as a coherent theory, and trace 
the idea of abbreviating formulae with predicate symbols to Skolem [47]. 


Contributions. We identify three principal contributions. 


1. A sound and complete proof theory for the full breadth of separation theories 
in the literature. Notably, this includes the first proof theoretic treatment of 
separation theories for intuitionistic Separation Logic. 

2. A new technique for constructing proof systems for essentially any logic inter- 
preted on Kripke structures that are axiomatized by coherent theories. 

3. The identification of tableaux systems with theories of coherent logic. 


On points 2 and 3, we believe many tableaux systems in the literature are sub- 
sumed by this method, with their respective ‘Hintikka set’ completeness proofs 
actually localized instances of the parametric completeness theorem given here. 
This suggests the possibility of a logical framework for non-classical logics via the 
representation of tableaux systems as coherent theories. This may be related to 
Schmitt and Tishkovsky’s [45] technique for automatically synthesising tableaux 
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calculi for logics that can be presented as first-order theories in a particular form. 
We believe the “rule refinement” post-processing their tableau rules undergo 
after synthesis can be made redundant by instead synthesising from coherent 
theories, but we defer such an investigation to another occasion. 


Related Work. While much work has been done on the proof theory of BI 
and BBI [9,28,29,41], as well as proof systems for the concrete heap model 
of Separation Logic [5,27,30], very little exists for separation theories. A key 
exception to this is Hóu et al.’s [31] labelled sequent calculi for propositional 
abstract separation logic. There, a labelled sequent calculus for BBI is extended 
with rules corresponding to the most common separation properties — partial 
determinism, cancellativity, indivisible unit and disjointness — and completeness 
and cut elimination is proved. In Héu’s PhD dissertation [29] the properties 
cross-split and splittability are additionally handled, although completeness for 
these new rules requires ‘non-trivial changes’ to the previous proofs. 

The classes of model captured by our systems strictly extend those of Héu 
et al. [31]—in particular, by additionally considering classes of BI models that 
are appropriate for intuitionistic separation logics—and our calculi are proved 
complete uniformly. Our systems are also generically extendable according to 
a rule schema, meaning the framework should be suitable for new separation 
theories devised in the future. A deficiency of our approach with respect to Héu 
et al.’s is a lack of implementation, though we note that the representation of our 
systems as theories of coherent logic suggests off-the-shelf coherent logic provers 
(cf. [43]) could be used to give naive implementations of our framework. 

Brotherston and Villard [10] deal with the undefinability of separation the- 
ories by defining a conservative extension of BBI called HyBBI, extending the 
syntax with nominals, satisfaction operators and binders. This extra expressiv- 
ity leads to the axiomatizability of the undefinable separation properties. This 
work is not specifically concerned with proof theory, giving only a Hilbert-style 
system for HyBBI, and has the defect of requiring modifications to the syntax 
of Separation Logic. In addition, a significant theoretical reformulation would 
be required to capture intuitionistic separation theories this way. In contrast, in 
our work the necessary machinery is internalized within the proof system and 
both Boolean and intuitionistic cases are taken care of uniformly. 

Finally, we connect our work to a line of research in proof theory investigating 
the generation of proof rules from coherent theories. Simpson [46] and Braiiner 
[8] have used this technique to produce natural deduction rules, while Negri 
[38] has extensively developed it to generate (systems of) labelled sequent rules 
from frame conditions axiomatized by (generalized) coherent formulae. To our 
knowledge the present work is the first application of these ideas to the tableaux 
method. In addition, we believe the encoding of the proof systems themselves as 
coherent theories is novel. 
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2 Preliminaries 


The Logics of Bunched Implications. We first recall O’Hearn and Pym’s 
logics of bunched implications BI and BBI [40], the propositional basis of Separa- 
tion Logic’s assertion language. BI and BBI are archetypal examples of bunched 
logics; systems given by combining the standard additives of classical or intution- 
istic propositional logic with the multiplicatives of a substructural logic. This idea 
has been developed to give logics for reasoning about concurrency [23] and the 
layering structure of complex systems [17,18,22], Hennessey-Milner-style pro- 
cess logics for reasoning about security and systems modelling [1,19] and modal 
and epistemic systems for reasoning about reachability /knowledge subject to the 
availability of resources [20, 26]. 

Let Prop be a set of atomic propositions, ranged over by p. The set of all 
formulae of (B)BI is generated by the following grammar: 


gz=pl|TILIT|d6A¢| Velo elox] ox o. 


For BI, the standard connectives are interpreted intuitionistically; in BBI, clas- 
sically. Negation is defined by =¢ :=¢ — L. Figure 1 gives Hilbert rules for the 
multiplicative fragment of the logics. 


So ney nzo EFow*yp nko 
Cxnk oxy nro cent yp 


(pepe prle) dup ypo oxi o 
Fig. 1. Rules for the multiplicative fragment of (B)BI. 


A BI frame is given by a tuple ¥ = (X,<,0, E), where (X,<) is a partial 
order, o : X? — P(X) a binary composition (where P(X) denotes the power set 
of X) and E C X a set of units for o. This structure must satisfy the following 
axioms, where the outermost universal quantification is left implicit: 


(Comm) z€xoy>zeyou (Up) e€EANe<eoeEcE 
(Unit 1) de € E(x € roe) (Unit 2) rEyoeñeEE—>y<r 
(Assoc) t >tEzoy Aw Et oz —> s,s, w (S >seyozAw>w' Ezros’). 


The axioms formalize intuitive ideas about the composition of generic resources; 
for example, that the composition satisfies a generalized associativity that is com- 
patible with the comparison order. This analysis is known as resource semantics. 

A sound interpretation of BI is given by extending the standard poset seman- 
tics for propositional intuitionistic logic. This requires a persistent valuation: a 
map V : Prop > P(X) such that x € V(p) and x < y entail y € V(p). We 
call a BI frame ¥ together with a persistent valuation V a Kripke BI model. 
The satisfaction relation Fy is given in Fig. 2. As is standard for intuitionistic 
logics, persistence extends to all formulae of BI. Kripke BBI models and their 
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rE p iff re V(p) rE T rL 
rE oAw iff rEġandrtEy E ovy iff rFdorrFey 
r E ġ—4y iff forall r’ > r,r E gġimplies r’ Ep; rE I ifreE 

r E g*a iff there exists r’,s,t such that r > r’ € sot, sE ¢ġ and tE% 

r E ob iff forall r’,s,t:r <r’, tEr osand sF ¢ implies tE w 


Fig. 2. Satisfaction for (B)BI. BBI is the case where < is substituted with =. 


associated semantics are given by the special case of the definitions for BI when 
the partial order < is equality. 


Coherent Logic. Coherent logic is the fragment of first-order logic consisting 
of formulae of the form A1 (T) A-+-A An (©) > Iyi B1 (2,71) V-V ym Bm (T, Ym), 
for n,m > 0, where each A; is an atomic formula involving only variables from 
the vector Z, and each B; is the conjunction of atomic formulae involving only 
variables from the vectors % and Ņ;. In a coherent formula, the variables Z% are 
implicitly universally quantified (with scope the whole formula) and both 7 and 
Ji may be empty. The case n = 0 is a consequent that is always true—T —> 
Ay Bi (T, 71) V- V 39m Bm(Z, ¥m)—similarly, the case m = 0 is an antecedent 
that is always false: Ai(Z) A+++ A An(Z) > L. 

This fragment of first-order logic is sometimes referred to as geometric logic; 
however, we reserve this name for the generalization of the definition given here 
that permits the consequent to be an infinite disjunction. In turn, coherent logic 
generalizes—via the case m = 1 with empty yj—the Horn clause fragment of 
first-order logic utilized in logic programming and first-order theorem provers 
based on the resolution method. 

We call a set of coherent formulae ® a coherent theory. Models of coherent 
theories are given in a way standard for first-order logic: a Tarskian model of & 
is anon-empty set X together with an interpretation Z, which assigns to every n- 
ary relation symbol R in the signature a set R? C X” such that for each coherent 
formulae in ®, for all 7 € X, the consequent Jy; € X(B7(Z,91)) V- V Im € 
X(B7 (È, Ym )) is true whenever the antecedent AF (È) A--- A AZ(Z) is true. 

Many common mathematical structures are axiomatized by coherent theo- 
ries. For example, algebraic structures like groups, rings, lattices, and fields, as 
well as total, partial, and linear orders. Further examples are found in the the- 
ory of confluence for term rewriting systems [4,48]. Of interest for our purposes, 
(B)BI frames are axiomatized by coherent theories. As we will see, every known 
separation property is given directly as a coherent axiom, with the exception of 
Splittability, which can be rewritten as a coherent theory. 


3 Modular Tableaux Calculi for Separation Theories 


The Base Tableaux Systems. We begin with tableaux systems designed for 
the semantics of (B)BI as outlined in Sect. 2. As is standard for tableaux systems, 
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Logical expansion rules 


THAY: rtEF FAY: LEF 
TA) Cig: e Tp eh | Uh | Fos) D) 
(TV) TV Y:tTEF (FV) FoVp~:2EF 
(Td: a}, 0) | Ute: a}8) (Fp: 2, Fp: a)i) 
(TI) Tl:ceEF 
(0, (Ex}) 


Frame expansion rules 


Expr(x) €CUF r~yyrzEec 


(Ref) On ay) (Trans) een 
z~ y, y~ st, Expr(x) €C onii RzyzE€C 
Di @,{Ezpru/ay O (0, {Revaz} 
. Expr(x) € FUC . R,xvyz,Ey E€ C 
(Unit 1) Gee. Ramas THe Rerat)} (Unit 2) me Tea 


with c; a fresh label and Expr(x) any expression in which x occurs. 
Fig. 3. Shared rules for the tableaux systems. 


derivations in our calculi are implicit attempts to construct a countermodel for 
the formula ¢ to be proved. This is done via the derivation of syntactic expres- 
sions that give partial specifications of a (B)BI model that can be realized as a 
real model if the formula is invalid. If every possible countermodel construction 
(i.e., every branch of a tableau) results in a contradiction, then we may conclude 
that no countermodel exists and call such a tableau a proof of ¢. 

The calculi work with two types of syntactic expression. First we have labelled 
formulae Sọ : x, given by a sign S € {T,F} together with a (B)BI formula ¢ 
and a label x € {c; | i € N}. A labelled formula states that a (B)BI formula ¢ 
is true (T) or false (F) at the state represented by the label x. The other type 
are called constraints, and encode a partial specification of the structure of a 
(B)BI frame. For labels x,y,z € {c; | i € N}, a constraint is an expression of the 
form z ~ y, R,xyz or Ex, corresponding to the state represented by x being < 
that represented by y, the state represented by z being a composition of those 
represented by x and y, or the state represented by x being a unit, respectively. 

Unlike other bunched logic tableaux systems, we only utilize atomic labels, 
as opposed to a monoidal algebra of labels that encodes properties of the multi- 
plicative connectives. New constraints are derived only by frame expansion rules 
(which directly reflect the axioms that define (B)BI frames and equality), rather 
than through the properties of a label algebra and a separate proof system for 
constraints. A constrained set of statements (CSS) is a pair (F,C), where F is a 
set of labelled formulae and C is a set of constraints. It is finite if F and C are. 

Informally, tableaux are trees annotated with finite CSSs. Each branch deter- 
mines a CSS (F,C) where F (respectively C) is the union of the formula (con- 
straint) sets that occur on the branch. Figures3 and 4 give rules dictating the 
expansion of tableaux: Fig. 3 gives rules shared by both the BI and BBI systems, 
while Fig. 4 gives rules exclusive to each system. While c4, Cj, Ck denote concrete 
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fresh labels, x, y, z etc. are label variables. An instance of a rule is triggered for 
a branch CSS when a concrete substitution instance of the premiss holds of it, 
and the same label substitutions carry through to the (branching) CSS(s) that 
the conclusion dictates are added to the tree. We now define (B)BI tableaux 
formally, with © giving concatenation of lists. 


Logical expansion rules for BI 


(T>) Tọ—>yp:xrEFandrwyeC (F>) F> wine F 
({Fo: y}, 0) | {TY : y} 9) ({To : ci, FY : ci}, {x ~ cif) 
(Tx) Tox: cEeF (Fs) Foxw:c€ F and Rsyzw,wr~recC 
({Tb : ci, TY : cj}, {Recicgen, Ck ~ ©}) ({F¢ : y}, 0) | (FY : 2}, 0) 
(T=) Tọ ~Y: x EF and z~ w, Rswyz €C (E) Fo ~p: EF 
({F¢ : y} 0) | ATY : 2},0) ({Tb : cj, FY : ck}, {2 ~ ci, Racicy cn }) 
Frame expansion rules for BI 
. t~ t, Raxvyt, R.t'zw € C Ezr,z~wyecC 
pare) (0, {ci ~ cj, ck ~ w, Reyzci, Raxcjcr}) (Up) (0, {Ey}) 
Logical expansion rules for BBI 
Trad: ce F Fao: xE F 
T~ -n F- Se 
e (Ee: a} i (Te: s} 0) 
Td > Ww: nrEeF Fo > w:neF 
T F 
T Cea) ia F (Te: m, Fb :2}.0) 
(Tx) Toxew:cEeF (Fs) Fox w:x2€F and Ryyzt EC 
({T¢ : ci, TY : eg}, {Reciejx}) ({F¢ : y}. 0) | (FY : 2}, 0) 
(T=) Tọ >Y: xE F and Rąxyz EC (E) pyp: LEF 
({F¢ : y}, 0) | ATY : 2},0) ({T¢ : ci, Fy : cj}, {Rexcic;}) 
Frame expansion rules for BBI 
. R, cyt, Ratzw € C aryec 
ae @,{Reyec:, Rewoaw}) ee U w~ 


with Ci, Cj, Ck fresh labels, Expr(x) any expression in which x occurs. 


Fig. 4. Tableaux rules for (B)BI 


Definition 1 (Tableau). A (B)BI tableau for a finite CSS (Fo, Co) is a list of 
CSSs, called branches, built inductively according to the following rules: 


1. The one branch list [(Fo,Co)| is a tableau for (Fo, Co); 
2. If the list Tm © [(F,C)| D Tn is a tableau for (Fo,Co) and 
Premiss 


(Fi,Ci) | ..-| (Fr, Cr) 


is a (B)BI expansion rule from Figs. 3 or 4 for which a concrete instance of 
Premiss is fulfilled by (F,C), then the list Tm © KF UFi,C UCi);...;(FU 
Fr,C UCy)| © Thn is a tableau for (Fo,Co). 


A (B)BI tableau for ¢ is a (B)BI tableau for ({Fd : co}, Ø). 
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Partial Determinism z€xroyAz' €xroyoz=2' 


Total dz(z€ roy) 

Cancellativity zemoyAzenoy > y=y 

Single Unit tEeEEAxL' EE>rt=r' 

ndivisible Units tEyozATER=>YEE 

Disjointness zEyoy>yEE 

Splittability zreEAzsEeE—l,xeEvzreE,xzeE— 4y, zyecEAzeEAreyoz) 

Cross-Split cetouAre€vow—da,b,c,d(t€ aobA\ucecodAvEeaocAw€ bod) 
pwards-Closed zeEenoyAz<2z > Jr, y (z Ea’ oy’ NEIT Nyy) 

Downwards-Closed zéroyAa’<aAy <y> (z Ex oy Az <z) 

Non-Branching TILyYANTILyY >yLy Vy <y 

Always-Joins w<yAarKsy > Izy <zAy' <z) 

ncreasing zeuoyry<z 
nit Self Joining Be-nxeror 

Normal Increasing zEtoy NEZ =g z 


Fig. 5. Separation properties. 


Definition 2 (Closed Tableau/Proof). A CSS (F,C) is closed if one of the 
following closure conditions holds: (1) Tọ :x € F, Fé: ye F andz~wyEcC; 
(L) FT :v2€F; (3) TL: av €F; (4) Fl:c€F and Ex €C. A CSS is open iff 
it is not closed. A tableau is closed iff all its branches are closed. A proof for a 
formula ¢ is a closed tableau for ¢. 


We note that we could simply add (T-), (F~), and (Sym) to the BI system 
and obtain one for BBI. However, this causes a significant amount of redundancy 
in the production of labels and constraints while requiring many more derivation 
steps in proofs, something that does not arise with the BBI rules given. 


Extension with Separation Theories. A separation property is a first-order 
axiom in the language of (B)BI Kripke frames. Figure5 gives separation prop- 
erties taken from across the Separation Logic literature [10, 13, 14,24], presented 
as coherent formulae. A separation theory is thus a collection X of axioms from 
Fig. 5. The syntactic form of coherent formulae enables a uniform translation of 
separation properties into tableaux expansion rules and closure conditions. First, 
each first-order atomic formula is translated into constraints: Tr(z € xo y) = 
R,vyz, Tr(a € E) = Ex, Tr(a < y) = z ~y and Tr(a = x’) = £N x'g ~war. 
Given A1 (2) A- A An(%) > IB (2, Hi) V V IymBm(2, Ym) with n, m 40, 
we obtain the frame expansion rule 


where each C; is the set of constraints translated from the conjuncts of B;, using 
fresh labels c} in place of the previously quantified y;. For example, the separation 
properties Cross-Split and Non-Branching are translated to the rules 


R.tux, Rx EC vyaory EC 
UL VWE að LNY, ENY E 


(0, {Racicyt, Racyeu, Racicev, Racjerw}) ‘ Oty ~y} | (0, ty’ ~y} i 
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where cj, Cj, Ck, are fresh labels. The special case n = 0 gives a rule with premiss 
Expr;(#1),...,Exprp(zp) € F UC, where each Expr;(x;) is any expression 
in which x; occurs and the x; are the universally quantified variables in the 
original formula. The case m = 0 gives a new closure condition consisting of the 
conjunction of constraints translated from the antecedent of the original formula. 

Note that the property Splittability is defined by a system of coherent axioms. 
These axioms force the new predicate F to be interpreted as the complement of 
E. When translated into tableaux rules, x € F gives a new constraint Fx. 

Given a separation theory X, a (B)BI + 5-tableau/proof is defined in the 
same way as Definitions 1 and 2, except that a tableau can also be expanded by 
translated X-rules, and any new closure properties obtained from X can factor 
into the closure of a tableau and thus into proofs. 

We give an example of a tableau proof in Fig.6. The formula (~I = L) — I 
is valid in BBI models satisfying Total, but not in all BBI models [35], and 
Fig. 6—written, for clarity, using the traditional representation of tableaux and 
using & to denote closed branches—shows that the tableaux system for BBI + 
Total proves it. The left-hand branch is closed because both FI : co, TI : co and 
co ~ cg occur, while the right is closed because TL : cı occurs. 


4 Applications to Separation Logics 


A separation logic can be determined by an assertion logic to describe machine 
state—a theory of (B)BI generated by validity in a concrete model of (B)BI + 
X for some separation theory »/—and a specification logic to describe changes 
to machine state following program execution—typically a logic of Hoare triples 
{é}C{v}, where ¢ and w are formulas of the assertion language and C is a 
program in some programming language. Soundness of the frame rule, 


{4}C {4} 
{b*x}C{pxx}? 
where y does not include any free variables modified by the program C,, witnesses 
the coherence of these different aspects, and facilitates Separation Logic’s char- 
acteristic ‘local reasoning’, which allows conclusions about a program’s effect on 
the global state to be derived from reasoning on just the resource it accesses. 


1) ({F(-I - L) - 1: co}, 0) Premiss 

2) {T-I = L : co, FI: co},0) (F —), from (1) 

3) (0, {Rxcococs }) Total, from (1) 
ee ee 

4) ({F=I : co}, Ø) ({TL : cr}, 0) (T-*), from (2), (3) 

5) ({TI : co}, Ø) @ (F-), from (4) 

6) (0, {co ~ co}) (Ref), from (5) 
& 


Fig. 6. Tableau proof of (~I = L) — I in the BBI + Total system. 


Modular Tableaux Calculi for Separation Theories 451 


To demonstrate the wide applicability of our framework we now give a num- 
ber of separation logics that are models of separation theories. We note that our 
systems can be incomplete with respect to a given concrete model, but this is 
as expected for any proof system: the benefit versus a standard (B)BI system— 
which will be incomplete with respect to the class of models of a given separation 
theory—is the capability to make inferences based on the additional structure the 
model carries. Because of space constraints this selection is demonstrative rather 
than exhaustive. Other examples include Petri nets [13]; step-indexed models for 
storable locks [11] and the Iris framework [33]; separation logics incorporating 
named [42] and fractional [7] permissions; and separation logics designed for 
message passing [49] and amortized resource analysis [3]. 


Heaps. Our first example is given by the standard memory models of Separation 
Logic [32]. A heap is a partial function h : N — Z, representing an allocation 
of memory addresses to values. Given heaps h, h’, h#h’ denotes that dom(h) N 
dom(h') = 0; h-h’ denotes the union of functions with disjoint domains, which 
is defined iff h#th’. The empty heap, |], is defined nowhere. 

Let H denote the set of all heaps. Then Heapppr = (H,-, {[]}) is a BBI 
frame. Letting h E h’ denote that h’ extends h, Heapp; = (H,C,-, H) defines a 
BI frame. These frames generate the standard classical and intuitionistic mod- 
els of Separation Logic. Heapgpy satisfies Partial Determinism, Cancellativity, 
Single Unit, Indivisible Units, Cross-Split and Unit Self Joining; Heappy; addi- 
tionally satisfies Splittability, Upwards-Closed, Downwards-Closed, Increasing 
and Normal Increasing while dropping Single Unit and Unit Self Joining. 

One property distinguishing the standard memory models is that *- 
elimination—¢x*«y — w, useful for reasoning about garbage-collected languages— 
is valid in the intuitionistic heap model but not the classical. Cao et al. [14] show 
that this corresponds to the separation property Increasing. Figure 7—written 
with a traditional tableau presentation—shows a single branch tableaux proof 
of ġ xp — y for BI + Increasing, closed because Tw : c4, Fw: cı and c4 ~ cy 
occur. 


Permissions. Permissions are incorporated into variants of separation logics 
that are designed to reason about certain kinds of concurrent algorithms and 
more fine-grained notions of memory disjointness: for example, disjointness mod- 
ulo shared read permission. Hóu [29] reports a schema of Clouston that encom- 
passes many such models: we recall it, with two concrete instances. 

Let V be a set of values and x : V? — V an associative and commutative 
partial function. Denote by Hy the set of V-valued heaps h : N — V. Then 
Heapy = (Hv, x, {[]}) is a BBI frame, where o, is defined by 


hi(n) x ha(n) ifn € dom(h1) N dom(hz) and hy(n) x he(n) | 
hy(n) if n € dom(h,) \ dom(h2) 

ho(n) if n € dom(hz) \ dom(h1) 

undefined otherwise. 


hy Ox ha(n) = 
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(1) ({Fé * Y — w : co}, Ø) Premiss 

(2) ({T¢ * Y : c1, Fw: c1},{co ~ cr}) (F —), from (1) 

(3) ({T¢ : c3, Ty : ca}, {RxC3c4C2, c2 ~ c1}) (Tx), from (2) 

(4) (0, {ca ~ c2}) Increasing, from (3) 

(5) (0, {ca ~c} (Trans), from (2), (3) 
® 


Fig. 7. Tableau proof of ¢ x p — wv in the BI + Increasing system. 
H6u defines Bornat et al.’s [6] counting permissions model with V = Z? and 


(x,i+j) ifa=y,i<Oandj <0 
(x,i)x (y, j) = 4 (x,i+ j) ife=y,i+j>O0and (i <0orj <0) 
undefined otherwise. 


This frame satisfies Partial Determinism, Cancellativity, Indivisible Units, Single 
Unit, Cross-Split and Unit Self Joining. 

Hou defines Dockins et al.’s [24] binary tree model by considering the set T 
of non-empty binary trees with leaves labelled T or L that are quotiented by the 
smallest congruence that identifies any subtree in which all leaves have the same 
label with a single leaf carrying that label. Then V = Z x T, and x is defined, 
where V (A) denotes pointwise disjunction (conjunction) of equivalent trees, by 


(a, [éVt]) ifa=yand [t^t] = [L] 
(x, []) * (y, 1) = a 

undefined otherwise. 
This frame satisfies Partial Determinism, Cancellativity, Single Unit, Indivisible 
Units, Disjointness, Splittability, Cross-Split and Unit Self Joining. 


Crash Hoare Logic. Chen et al. [16] use a separation logic to verify that the 
FSCQ file system meets its specification and secures its data under any sequence 
of crashes. Cao et. al. [14] give the underlying model as the following BI frame. 
Let V* be the set of non-empty lists over a set V and e the empty list. Buffer 
heaps are defined to be heaps h : N — V+. Let Hpug be the set of all buffer 
heaps. Then Heappug = (Abus, <, +, {[]}) is a BI frame, where - is the usual heap 
composition, and hı < hg iff dom(h,) = dom(hg) and Vx € N, al € V+ Ufe} such 
that hı(x) =1@ he(x). This frame satisfies Partial Determinism, Cancellativity, 
Single Unit, Indivisible Units, Cross-Split, Upwards-Closed, Downwards-Closed, 
Always-Joins, Non-Branching, Unit Self Joining, and Normal Increasing. 


Typed Heaps. Cao et al. [14] give an example derived from the handling of 
multibyte locks in Appel’s [2] Verified System Toolchain separation logic for 
CompCert C. Let a typed heap be a partial map h : N —> {char, short, , short. } 
such that h(n) = short; implies h(n+1) = shortg. Let Htyp denote the set of all 
typed heaps. Then Heapryp = (Atyp, <, °, Htyp) is a BI frame, where hı < h2 
iff, for all n € dom(h1) either n € dom(hz) and hi(n) = ha(n) or hi(n) = char, 
and h € hy oh, iff hi-ho < h. This frame satisfies Indivisible Units, Disjointness, 
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Splittability, Cross-Split, Upwards-Closed, Downwards-Closed, Non-Branching, 
Increasing, and Normal Increasing. 


5 Metatheory 


Tableaux Systems as Coherent Theories. Just as coherent formulae yield 
tableaux rules, tableaux rules yield coherent formulae, allowing a complete spec- 
ification of our calculi as coherent theories. Our framework determines a first- 
order signature: for each formula ¢ of (B)BI, we have unary relation symbols Tø 
and Fọ¢, together with the unary relation symbol E, the binary relation symbol 
~ and the ternary relation symbol R,. 

Given a rule premiss ‘S$ : x € F and Aja}...2j,,---, Ama... 2% EC’ we 
obtain the coherent antecedent C(%) = S¢(x) A A; Aix) ...2},,. For the j — th 
conclusion (F;,C;) of the rule we obtain 47;C;(Z, yj), where C} is the conjunction 
of atomic formulae translated from the constraints in F; UC;, with any fresh 
labels č that occurred substituted with yj. The translated rule is thus C(z) > 
AyC1(Z, 1) V- V AYnCn(Z, Yn). For example, the instance of the BI rule (F-*) 
for =p becomes Fo-* w(x) > 3y1, v2, ys(TH(yo) AFU(ys) Az ~y1 A Rayos) 

There are some special cases to pay attention to. For tableaux rules with 
premiss Expr(x) € F UC the antecedent of the translated coherent formula 
is T. This is not the case for rules with premiss Expr(x) € C: these must be 
translated into a separate rule for each of the finitely many ways x can occur 


in each constraint. Finally, each closure condition ‘S;¢1 : £1,...,Sn@n : Tn, 
Aryl.. -Yh and Amy”... yf” gives A, Sidi(as) A A; Aiti --- 9}, 2 L 
Given a (B)BI formula ¢, the finite coherent theory D GE is given by the 


translated (B)BI + X-frame expansion rules, the translated closure conditions 
and the instances of translated logical expansion rules for subformulae of ¢. We 
note that we could specify the whole tableaux system for (B)BI + X as an infinite 
coherent theory (similar to the axiomatization of a Hintikka set in standard 
tableaux completeness proofs), but finiteness is required for our argument. 


Soundness and Completeness. We now prove soundness and completeness 
of the tableaux method via an analogous result for the Tarskian semantics of 
coherent logic. First, we show that the existence of a Kripke (B) BI + ©-model 
with a state that doesn’t satisfy @ is equivalent to the existence of a Tarskian 


model of 647)?1*~ U {3x.F¢(2)}. 


Definition 3 (Induced Kripke Model of M). Given a Tarskian model M 

of oper, define |a] = {b | a~? b,b ~? a} and Xm = {[a] | a € X}. 

Then [a] <m [b] iff a~? b, [c] € [a] ony [b] iff RZabe, and Em = {[a] | E*a}. 

Vm(p) = {la] | 30(6~7 a and Tp? (b))}. 

1. If M is a model of PPY, the induced Kripke frame is given by Xm = 
(Xm, Sm, om, Em); the induced Kripke model is given by (Xm, Vm). 

2. If M is a model of DR the induced Kripke frame is given by Xy = 
(Xm, om, Em); the induced Kripke model is given by (Xm, Vm). 


454 S. Docherty and D. Pym 


The induced Kripke frame is a well-defined structure because of the frame 
tableaux rules, with [—] forming equivalence classes and <m, om, and Em 
independent from the choice of representatives due to (Cong). The (B) BI + X- 
frame properties for the induced frame follow from their correspondent rules in 
the tableaux and the valuation Vm is independent of choice of representative 
and persistent for induced Kripke BI + X-models. 


Lemma 1. Given a Tarskian model M of aad 


Xm is a Kripke (B)BI + X-model. 


, the induced Kripke model 


The significance of this model is that satisfiability of subformulae w of ¢ 
is determined by the interpretation of the relation symbols Sw in the original 
Tarskian model. A simple proof by induction yields the next lemma. 


Lemma 2. Let M be a Tarskian model of the coherent theory rg aaa wa 


subformula of @ anda € X. 1. If TY? (a) holds in M, then [a] Fy,, wv; 2. If 
Fy? (a) holds in M, then [a] Fyn v- 


We can also induce Tarskian models from Kripke models. Let (V,V) be a 
Kripke (B)BI + X-model. We define the induced Tarskian model by taking X 
to be the carrier, and defining the interpretation Z by ~7 = <, RZ = {(a,b,c) | 
cEaob}, ET = E, Ty? = {x | x Ey Y} and Fy? = {2 | £ y Y}. 


Lemma 3. Every Kripke (B)BI+X-model (X, V) with a state x (not) satisfying 
@ induces a model of oo" U {Aax.Td(x)} Coe U {3x.Fọ(x)}). 


We now connect the existence of a closed tableaux to Bezem and Coquand’s 
[4] breadth-first forward reasoning proof system for coherent logic. In their sys- 
tem, judgments of the form X IH? D are derived, where X is a set of atomic 
first-order sentences, ® a finite coherent theory and D a closed coherent disjunc- 
tion; a first-order sentence with the same syntactic shape as the consequent of a 
coherent formula. The derivation of the judgment X IF? D is defined inductively: 


1. (Base): X IF? D holds if for one of the disjuncts 4y.C of D, there are constants 
a such that all conjuncts of C[y := a] occur in X; 

2. (Inductive Step): Consider all closed instances C; — D; of ®-axioms such 
that the conjuncts of C; occur in X but the conjuncts of no disjunct Ci j 
of D; do. There exist finitely many, with their consequents thus enumerated 
Do,.--,Dn. Let 3giz-Ci j denote the j-th of the m; disjuncts of D;, and 
denote by Ci j the substitution of Ui, with fresh constants. Infer X IH? D 
from Vjo € {1,...,mo},---,Vin € {1,..-,mn}(X, Co, jo»: <- Cnn IF? D). 
Importantly, if a D; is L, then m; = 0, and X IF? D is trivially inferred. 


A derivation can be seen as a kind of tableau, branching at each stage by 
adding every possible consequence of © obtainable from the atomic first-order 
sentences at the current node. A semi-decidable procedure is given to systemat- 
ically search for a derivation of X |I}? D. First check the base case. If it doesn’t 
hold, apply the inductive step to any -axioms fireable from X. If there are 
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none, X forms an Herbrand countermodel of ® against D. If the inductive step 
can be applied, apply the search procedure recursively to all premisses. Bezem 
and Coquand show that successful termination corresponds to Tarskian truth. 


Theorem 1 ((4]). X Ik? D is derivable iff the search procedure successfully 
terminates for X |-? D iff D is true in all Tarskian models of X U®. 


(B)BI+ 
It is straightforward that the search procedure for {F¢(a)} IH”® L 
corresponds precisely to an exhaustive search for a closed tableau for @. 


Lemma 4. There exists a closed (B)BI + 3'-tableaux for @ iff the search pro- 


g(B)BI+5 : 
cedure for {F¢(a)} |F* L successfully terminates. 


Hence if a closed (B)BI + X-tableaux does not exist for ¢, there exists a 
Tarskian model M of oe U{3x.Fọ(x)}. By Lemma 2, the induced Kripke 
model Xm has a state [a] such that [a] 4 ,, ¢, establishing that ¢ fails to be 
valid for Kripke (B)BI + X-models. Conversely, if a closed tableaux does exist, 
then there is no Tarskian model of M of ge U{3x.Fọ(x)}. By Lemma 3, 
@ is valid in Kripke (B)BI + X-models, as otherwise any countermodel would 
generate a Tarskian model M of g rE U {3x.Fọ(x)}, a contradiction. 


Theorem 2 (Soundness and Completeness for (B)BI+'-Tableaux). ¢ 
is valid in Kripke (B)BI+ X-models iff ¢ is provable in the (B)BI+ X’-tableaux 
system. 


6 Conclusions and Further Work 


We have given a framework of tableaux systems that exhaustively captures the 
breadth of separation theories in the literature. Our framework is proven sound 
and complete parametrically by a novel representation of tableaux systems as 
coherent theories that allows us to apply existing theory from coherent logic. 
This resolves the expressivity gap between the logics of bunched implications 
and the separation logics defined upon them, and provides proof theory for the 
assertion languages of a wide array of program logics. 

The completeness of tableaux systems is usually proved by defining a notion 
of a Hintikka set: a saturated set of (labelled) formulae (and possibly constraints) 
that specifies a term model of the logic. The existence of a Hintikka set is then 
shown to follow from non-existence of a tableau proof. Our method is a gener- 
alization of this idea, implemented parametrically by choice of tableaux system. 
While we have focused on Separation Logic, this technique is adaptable to vir- 
tually any logic interpreted on relational structures, including the breadth of 
bunched and modal logics. This suggests the significance of the coherent logic 
fragment extends beyond the generation of proof rules for frame conditions. 

The implementation of our systems is of principal importance for future 
work. Our tableaux representation suggests existing coherent logic provers (see 
[43] for a survey) may already be suitable, though tactics designed specifically 
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for tableaux coherent theories may have to be developed to make this efficient. 
A closely related goal is the development of parametric Separation Logic imple- 
mentations that utilize our systems as assertion language provers. Finally, our 
results suggest interesting theoretical work. Coherent logic has close connections 
to topos theory, and Caramello [15] has developed techniques to transfer results 
between mathematical fields via bridges between the classifying topoi of coher- 
ent theories. We wish to investigate if any results of logical interest can be found 
in this way by utilizing the representation of tableaux as coherent theories. 
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Abstract. We develop a domain-theoretic Differential Calculus for 
locally Lipschitz functions on finite dimensional real spaces with impre- 
cise input/output. The inputs to these functions are hyper-rectangles 
and the outputs are compact real intervals. This extends the domain 
of application of Interval Analysis and exact arithmetic to the deriva- 
tive. A new notion of a tie for these functions is introduced, which in 
one dimension represents a modification of the notion previously used 
in the one-dimensional framework. A Scott continuous sub-differential 
for these functions is then constructed, which satisfies a weaker form of 
calculus compared to that of the Clarke sub-gradient. We then adopt a 
Program Logic viewpoint using the equivalence of the category of stably 
locally compact spaces with that of semi-strong proximity lattices. We 
show that given a localic approximable mapping representing a locally 
Lipschitz map with imprecise input/output, a localic approximable map- 
ping for its sub-differential can be constructed, which provides a logical 
formulation of the sub-differential operator. 


Keywords: Imprecise input/output - Interval analysis 
Exact computation - Lipschitz maps - Clarke gradient 
Domain theory - Stone duality 


1 Introduction 


A well-known hurdle in numerical computation is caused by accumulation of 
round-off errors in floating point arithmetic, which can create havoc and lead 
to catastrophic errors in compound calculations. In safety and critical systems, 
where reliability of numerical computation is of utmost importance, one way to 
avoid the pitfalls of floating point arithmetic is to use interval analysis or exact 
arithmetic. In both interval analysis and exact arithmetic as well as in com- 
putable analysis, a real number is represented by a nested shrinking sequence 
of compact intervals whose intersections is the real number. Similarly, a real n- 
vector can be represented by a nested sequence of hyper-rectangles in R”. This 
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leads to a framework in numerical computation and a framework for compu- 
tational geometry where the inputs of algorithms or programmes are imprecise 
real numbers or real n-vectors; see for example [3,5,6,9, 10, 14,15, 17, 21-23, 27]. 

All frameworks for interval analysis and exact real computation are based 
on functions whose input and output are real intervals. When we compose two 
such functions, the output of the first function serves as the input to the second 
function. An implementation of these frameworks in a functional programming 
language follows this same pattern; see for example the lazy Haskell implemen- 
tation of IC-Reals for Exact Real Computation [1], which uses linear fractional 
transformations as developed in [14,22]. 

An important feature of working with a calculus consisting of functions with 
interval or imprecise input/output is that even when we deal with elementary 
functions such as polynomials we cannot restrict ourselves to their canonical 
(maximal) extensions to intervals [21]. These canonical extensions take a com- 
pact interval to its forward image under the function. In fact, these extensions 
are not closed under, for example, multiplication. Thus, the real-valued map of a 
real variable x ++ x? when implemented with interval input by x > x x x, using 
multiplication of two copies of the input interval, is not the canonical extension 
of the quadratic map of real numbers: it evaluates for example [—1, 1]? to [-1, 1] 
rather than [0,1], which is what the canonical extension of the quadratic map 
evaluates to. In general, we need to work with any Scott continuous map of type 
IR — IR or, in higher dimension, of type IR” — IR, where IR” denotes the 
domain of hyper-rectangles of R”. 

In the past 60 years, interval analysis has grown as a distinct interdisciplinary 
subject to impact on nearly all areas of mathematical and numerical analy- 
sis including computer arithmetic, linear algebra, integration, solution of initial 
value problems and partial differential equations to correct solutions in mathe- 
matical optimisation and robotics; see [20]. It is natural to ask if the domain of 
application of interval analysis and exact computation can be extended to the 
derivative of functions, i.e., whether one can take a kind of derivative of a map 
which takes a compact interval or a compact hyper-rectangle as input. 

In [11], the notion of a domain-theoretic sub-differentiation of maps which 
have non-empty and compact intervals as inputs and outputs was introduced. 
The restriction of these maps to real numbers turns out to be locally Lipschitz 
maps of type R — R and the sub-differential restricted to real numbers has been 
shown to be the same as the Clarke sub-gradient [8]. A major problem, however, 
is that the framework in [11], which only deals with one-dimensional maps of 
type IR — IR is not accompanied with a Stone duality framework and thus, 
even in dimension one, cannot be used in order to handle program logic and 
predicate transformers. 

In [7], a typed lambda calculus in the framework of an extension of Real 
PCF [6,17,22] was introduced in which in particular continuously differentiable 
and more generally Lipschitz functions can be defined. Given an expression rep- 
resenting a real-valued function of a real variable in this language, one is able 
to evaluate the expression on an argument, representing an interval, but also 
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evaluate the generalised derivative, i.e., the L-derivative, equivalently the Clarke 
gradient, of the expression on an interval. The operational semantics of the lan- 
guage, which is equipped with min and a weighed average, enjoys adequacy and 
a definability result proving that any computable Lipschitz map is definable in 
it. The denotational semantics is based on domain theory which in principle 
allows a program logic formulation of the computation, although this challenge 
has not been taken up yet. 

In [13], a point free framework for sub-differentiation of real-valued locally 
Lipschitz functions on finite dimensional Euclidean spaces has been developed 
which provides a Stone duality for the Clarke gradient and thus enables a pro- 
gram logic view of differentiation. However, the induced logical framework cannot 
be employed for the class of functions with imprecise input/output used in exact 
computation since, as already pointed out, this class necessarily contains general 
extensions of real-valued locally Lipschitz maps of finite dimensional Euclidean 
spaces. 

In this paper, we formulate a new notion of a tie of functions with impre- 
cise input/output, which, in one dimension, represents a modification of the 
corresponding notion in [12]. This allows us to develop a Scott continuous sub- 
differential for functions with hyper-rectangles in R” as inputs and compact 
intervals in R as output, which are used in exact computation. We show that 
a weaker calculus compared to that for the Clarke sub-gradient is satisfied in 
this interval framework. In addition we construct a logical framework for sub- 
differentiation of locally Lipschitz maps of type IR” — IR. The basic Stone 
duality results developed in [13] are then extended to sub-differentiation of such 
interval maps. 


1.1 Background 


We assume the reader is familiar with basic elements of topology and domain 
theory. Following the definition in [18], by a domain we mean a continuous 
dcpo (directed complete partial order). All the domains we use in this paper are 
bounded complete as well. By C(R”), we denote the domain of non-empty convex 
and compact subsets of R” ordered with reverse inclusion and augmented with 
L = R” as the bottom element. If C1, C2 E€ C(R”) then the way-below relation 
is given by C1 < C% iff C? D Co, where S° is the interior of the set S. By IR”, 
we denote the sub-domain of non-empty compact hyper-rectangles with faces 
parallel to coordinate hyper-planes of R”. The Euclidean norm of x € R” is 
denoted by ||x||. 

The lattice of open subsets of a topological space X is denoted by Q(X). 
The Scott topology of a domain D is, however, written as op. The closure of 
S C X is denoted by S. The upper topology, equivalently the Scott-topology, of 
C(R”) has a basis of the form 


O=4{C € C(R”):C c oO}, 


where O belongs to a basis of open and convex subsets of R”. 
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Given an open set a C X of a topological space and an element b € D of 
a domain D, the single-step function by, : X — D is defined by bya(x) = b 
if x € a and L otherwise. A non-empty compact real interval x is written as 
x = [a,x]. For a map f : X — Y of topological spaces, f[S] denotes the 
image of the set S C X. 

The three operations of addition of two vectors, scalar multiplication of a 
vector and a real number, and the inner product of two vectors can be extended 
to C(R”) to obtain the following three Scott continuous maps: 


(i) —+—:C(R”) x C(R”) — C(R”) with A+ B= {a+b:aeEA,beE B}, 
(ii) — x —: R x C(R") > C(R") with rA = {rx : x € A}, and, 
(iii) —-—: C(R”) x C(R") — IR with A- B= {a-b:a € A,b € B}. 


These three operations have well-defined restrictions to IR”. In addition, in this 
paper, we will consider their higher order extension to sets of sets. For example, 
if a@1,@2 € Q(R) are open subsets, then Da;, az € ocr») and we have: 


( ay) + ( az) = {z1 £2: £1 € a1, T2 E az} 


Moreover: 


Proposition 1. (i) The modal operator O : N(R”) > acr») preserves meets, 
1.€., O; A UO, = (O1 A O2) for all 01, O2 E Q(R?”). 
(ü) The way-below relation satisfies O1 < Oz if and only if O00; « OO2 for 
all 01, O2 E Q(R”). 
(iii) If O1,O2 C R” are open hyper-rectangles, then O(O;1 + O2) = O0: + 002. 
(iv) If O C R” is a conver open set and a C R” is a hyper-rectangle, then 
(0-4) = (00) (Ca). 


Next, we present the notion of Clarke’s sub-gradient [4]. Recall that a map 
f: U C R” — R, where U is an open set, is locally Lipschitz if all points 
in U have an open neighbourhood O C U with a constant k > 0 such that 
| f(x) — f(y)| < k||x — yl| for all x,y € O. The generalized directional derivative 
of a locally Lipschitz f at x in the direction of v is defined as follow: 


f(y +tv) — fly) 


f°(x;v) = limsup P 


you t—0t 


The Clarke subgradient of f at x, denoted by f(x) is a convex and compact 
subset of R” and is defined by: 


Of (x) ={w E R” : f°(a;v) > w-v for all v € R”} (1) 


The sub-gradient function ðf : U Cc R” — C(R") is upper continuous, equiva- 
lently Scott continuous. Moreover, the Clarke sub-gradient satisfies a weak cal- 
culus. For locally Lipschitz maps f,g: U C R” > R, 


(i) Sum: f(x) + Og(a) 2 OF + g)(x). 
(ii) Product: (3f (x))g(æ) + f(æ)(3g(1)) 2 OF - g)(x) 
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(iii) Chain rule: For f,g:R—R,Of(g(x)) - Og(x) D O(f o g)(z). 


The notion of the L-derivative, equivalent to the Clarke sub-gradient, for 
real-valued functions on finite dimensional Euclidean spaces has the following 
ingredients [8]. A function f : U C R” — R has a non-empty generalized 
Lipschitz constant b € C(R”) in a non-empty convex open set a C R” if for 
all x,y € a we have f(x) — f(y) € b- (a — y). The collection of all functions 
that have generalized Lipschitz constant b in a is denoted by 6(a, b), called the 
tie of a with b. The collection of all single-step functions by, with a C U and 
f € 6(a,b) is bounded in (U — C(R”)) and thus the L-derivative of f defined 
as 


Lf = sup{bXa : f € 5(a,b)} 


is Scott-continuous function. Moreover, we have Lf = Of. 


1.2 Stably Locally Compact Space and Semi-strong Proximity 
Lattice 


We recall that in geometric logic one uses the open sets of a topological space as 
propositions or semi-decidable properties [25,26]. If X is a topological space and 
Q(X) its lattice of open sets, a propositional geometric theory is constructed as 
follows: For every open set a € R(X), define a proposition P}, i.e., every open 
set of X provides a property or predicate. For open sets a and b with a C b 
stipulate: (i) Pa F Py. For a family of open sets S, stipulate: (ii) Pus F Vaes Pa- 
For a finite family of open sets S, stipulate: (iii) Naes Pa F Pas. The converses 
of (ii) and (iii) follow from (i). The nullary disjunction in (ii) is interpreted as 
false and the nullary conjunction in the converse of (iii) is interpreted as truth, 
i.e., Py F false and Px F truth. 

We regard x € X as a model of the theory in which P, is interpreted as true 
iff x € a, i.e., x | aiff x € a, or, a point is a model of a proposition if it is in the 
open set representing the proposition. It is possible that different points give rise 
to the same model, i.e., satisfy the same open sets, and it is also possible that 
a model does not arise by points in X in this way. For so-called sober spaces, 
as we will define below, we do have a one-to-one correspondence between points 
and models. 

A topological space X is called stably locally compact [2,18] if it is sober, 
locally compact and if the intersection of two compact saturated sets is compact. 
Recall that X is sober if its points are in bijection with the completely prime 
filters of its lattice of open sets. (A set is saturated if it is the intersection of its 
open neighbourhoods.) Equivalently, X is stably locally compact if and only if its 
lattice of open sets is a distributive continuous lattice which is also arithmetic, 
i.e., its way-below relation satisfies: 


O<O;,02 = O X 01 A02 


The spaces R”, IR” and C(R”) are all stably locally compact spaces. The way- 
below relation for Q(R”) is given by O1 < Op iff O1 is compact and O1 C Op, 
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whereas the way-below relation in C(R”), and thus IR”, is given by Proposi- 
tion 1. We can obtain a finitary representation of these spaces by a sub-lattice 
of open sets as we will now describe. 

A semi-strong proximity lattice [13] consists of a tuple (B;V,A,0,1;<) in 
which (B;V,A,0,1) is a distributive lattice such that ~ is a binary relation on 
B with ~=~ o x satisfying: 


YVaeBMcy B.Mxas\VM Xa. 
Va € BiaAl>anwi. 

Ya, a1, a2 € B.a < a1, & a < a1 ^ ag. 
Va,xz,y E B.axtVy=> 

Jr’, y € Bia’ ~a&y ~yk&aX~a' Vy. 


Pm Cou 


Here, M cy B means that M is a finite (possibly empty) subset of B, and 
M ~<a means that Vm €E M.m ~ a. 

The relation R C Bı x B2, between two semi-strong proximity lattice, is a 
localic approxzimable mapping if it satisfies: 


Ro <= R 

<1 oR=R. 

VM Cy Bib € Bo. MRD 4> VM Rb. 

Va € Bı.a #1 >aR1. 

Va € BıVaı,a2 € B2.a Raı &a Raz & a Ra ^ ag. 
Va € BıYM Cf Bə.a R VM > 

IN Cy By.a xı VN&Vn€ Name M.nRm. 


Soe ONE 


The identity approximable mapping on B is <g and composition of approx- 
imable mappings is the usual composition of the relations in the same order as 
for functions. 

Let SL-Compact denote the category of all stably locally compact spaces 
and continuous functions and let Semi-Strong PL denote the category of semi- 
strong proximity lattice and approximable mappings. The following functors 
between these categories establish an equivalence between them [13, 19]. 


A:SL-Compact — Semi-Strong PL 
G : Semi-Strong PL — SL-Compact 


Given a stably locally compact space X, fix a basis B of its topology which 
is closed under finite intersections and let A(X) be the semi-strong proximity 
lattice based on B. Given a continuous function f : X; — X2 between two stably 
locally compact spaces, we have a localic approximable mapping Af : A(X)) > 
A(X9) given by a Aş b iff a K f-(b). 

Given a semi-strong proximity lattice B, the spectrum spec(B) of B is the 
set of all prime filters of B. For z € B let Os = {F € spec(B) :  € F}. The 
collection of O,’s, x € B, is a base of a topology over spec(B). Put, 


G(B) = spec(B) 
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Given a localic approximable mapping R: Bı — Bz define, 
Gr: spec(Bi) — spec(Bo) 


by Gr(F) = {bə E Bə : Ab; € F.bı Rbə}. We have, AGr = R and Ga; = Fa 
Thus, the category of semi-strong proximity lattice with approximable mappings 
is equivalent to the category of stably locally compact spaces and continuous 
functions [13]. 

We now construct some canonical bases of C(R”) and IR”, which provide 
us with the semi-strong proximity lattices these spaces can be represented by. 
Let Bn, respectively B?,, for U C R”, be any basis of R”, respectively U, that 
consists of bounded convex open sets and is closed under finite intersections. We 
let Brn, respectively By, denote the semi-strong proximity lattice generated by 
BR, respectively BP. This means that every element of Br, respectively By, is 
a finite join of elements of BR,,, respectively By, [13]. 

It now follows, by Proposition 1, that Boren) = {Oa : a € BB} is a basis of 
the Scott topology occ"), which is closed under finite intersections. Let Boyan) 
be the semi-strong proximity lattice generated by Be (R=): Thus, each element of 


the semi-strong proximity lattice Borr) is the finite join of elements of B}, (R»): 
Finally, let 7(U) be a basis of U C R” consisting of open hyper-rectangles 
in U with faces parallel to the coordinate planes and let 7 := 7(R”). Then 
Bren = {Oa : a € T} is a basis for or». By using 7 (U), we similarly obtain 
a basis By, for IU C IR”. Again by Proposition 1(i) these bases are closed 
under finite intersections. We let Big», respectively, Bry be the semi-strong 
proximity lattices generated by Bf,,, respectively, By,;. Thus, each element of 
Bygn, respectively, Bry, is the finite join of elements of Bip, , respectively, Bp,,. 
The functors A and G thus provide a bijection between the two hom-sets: 


G 
(IU > IR) S (Bry — Br) 
A 
and between the two hom-sets: 
G 
(IU > C(R”)) = (Biu > Bom»)) 
These bijections are used later to deduce our Stone duality results. 


1.3 Related Work 


Differentiation in logical form for functions of type U C R” — R was introduced 
in [13]. These maps were represented by localic approximable mappings of type 
By — Br, and the localic approximable mapping of the L-derivative of these 
functions have the type By — Bern). The strong tie of a with b, denoted by 
6;(a, 0), was defined as the collection of all functions f : a C U > R such that 
there exists a’ € BQ and b € C(R") witha <a’,b<D' and f € d(a’, 0’). 
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The approximable mappings R : By — Bp has Lipschitz constant O € 
Bcr») in a € By, denoted by R € A(a, O), if we have: 


Yai, a2 < a, (a1, a2) € Sep, da}, a5 € Bp. 


/ 1 / i 
a, Ral, a2 Ray, a — ay < O- (ay — a2) 


where the separation predicate Sep C By x By means (a1,a2) € Sep if there 
exists a}, a such that aı < a}, a2 < a4 and a, Aa, = 0. The strong knot A,(a, O) 
is defined as the set of approximable mappings R : By — Bp such that there 
exists a’ € By, O' € Bor») with a < a’, O' < O and R € A(a', O’). 

The strong ties and strong knots are dual to each others, i.e., R € A,(a,O) 
iff Gr € ôs(a, O). The Lipschitzian derivative of R : By — Bp is defined as the 
approximable mapping 


L(R) =sup{Ag,, : R € As (a, O)} 


It turns out that L(R) = Acap and we have a weak calculus which matches that 
for the Clarke sub-gradient stated after Eq. (1), i.e., L(R1)+L(R2) C L(Rı + R2) 
and Rı - L(R2) + R2- L(R1) C L(Rı - Re), and if at least one of Ry and Rə is a 
continuously differentiable approximable mapping then equality holds. A weak 
form of the chain rule also holds for composition of approximable mappings 
corresponding to that for the Clarke sub-gradient. 


2 L-derivative with Imprecise Inputs 


We start by defining a notion of tie for Scott continuous map of type f : IU — IR, 
for an open convex subset U C R”. From now on, in the rest of the paper, we 
assume f : IU — IR is Scott-continuous. 


Definition 1. Let f : IU C IR” — IR where U C R” is an open set, be Scott 
continuous and a E€ T(U), an open hyper-rectangle in U, and b € C(R”). We 
say f has a generalized Lipschitz constant b in Ua and write 6(Ha, b) if we have: 


vz, y € Da, £ N y = D. f(x) — f(y) E b- (£ — y) 


In the one dimensional case, this new notion is a modification of that in [12] 
as we in Definition 1, require the hyper-rectangles x and y to be disjoint, i.e., 
inconsistent in IU. Thus, the condition for membership of a tie is weaker. We 
will need this weaker condition in order to develop the Stone duality result later 
in the paper. 

We show that despite this weaker notion, if f € 6(Oa,b) with b 4 L, then 
f preserves maximal elements and its restriction to maximal elements gives a 
Lipschitz map. In other words f is the extension of a classical Lipschitz function 
in Ia. 


Differential Calculus with Imprecise Input and Its Logical Framework 467 


Proposition 2. Let f € 6(Ha,b), where a C R” is a open hyper-rectangle and 
b € C(R”) \ {L}, then for each x € a, f({x}) € IR is maximal and the induced 


function f: a CR” —> R is Lipschitz and satisfies: 


Vani, £2 € a. (b- (a1 — 22)” < f(ai) — f(w2) < (b: (£1 — a2) (2) 


Var1,a2 € a. |Î(æ1) — f(æ2)| < |[dlllle1 — 22), (3) 
where ||b|| = max{||L|||L € b}. 


Corollary 1. If f € ô(Oa,b) then f € ô(a,b). 


Definition 2. We say a Scott continuous function of type IU C IR” — IR is 
locally Lipschitz in Oa, for a € T(U), if it belongs to a tie 6(Oa, b) with b # L. 


Given a continuous function f : U C R” — R, its maximal extension to a 
Scott continuous function IU C IR” — IR is denoted by If with If(x) = f[zx] 
for x € IU when x 4 L and If(L) = L. 


Corollary 2. f € (a,b) if If € ô(Oa, b). 


If (A, E) is a depo then the consistency predicate Con(4, c) and Con(4,«) for 
a finite subset {a; : i € I} with respect to E and « are defined as follow: 


Conga {ai : i E€ I} 4> Ja E A, Viel.a,Ca 


and 


Conyac) {ai:i € I} Ja € A, Vie I.a; Ka 


For the collection (biXa;)icr or (biXOa;)ier for finite indexing set J where a; € 
§2(IR”) are open hyper-rectangles and b; € (D, E), the function space consistency 
predicate Congn_,p or Conypn_,p is defined as follows: 


Conrn—.p(bixa; Jier <> VI C I. [Concarany sy {ai : i € J} => Comp cy) {hi : i € JY 


Conran. p(biXOa, ier Vd C I. [Con( gan), >) {Hai : i € J} => Cony cy {i : iE J¥). 


It follows that the supremum sup;ez biXa; exists iff Cong»_.p(b;Xa,)ier and 
supje7 biXOa; exists iff Contrn—.p(bixOa,)ier- 


Proposition 3. For any indexing set J the family of step functions (b;XQa,)jes 
is consistent if (jez 6(Haj, bj) # 0. 


Proof. Suppose f € [),<,6(Ha;,6;) then fe Mjes êlaj, bj), and hence 
(bjXa;)jeJ is consistent, which implies (bjXDa; )jeJ is consistent. E 


Recall that a crescent in R” is the intersection of a closed and an open set. Given 
two points p,q € R”, we denote the closed, respectively open, line segment 
between them by [p,q] = {Ap + (1—A)q: 0 < A < 1}, respectively (p,q) = 
{Ap+ (1-A)q:0<A< 1}. 
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Proposition 4. We have 6(Ha,b) 2 Njej 6(Oa;,b;) if bxoa E supje ys bj XO; : 


Proof. Let g := supje76jxXOa,- Suppose bXOa E supjeybjxXO0,, then Oa C 
aj and thus a C LU, je 4j- In addition, by considering the restate of g 
to ihe maximal elements of IR”, we find that a is partitioned by the open sets 
aj, j E J, into a finite number of disjoint crescents c;, 7 € J, with 


g({r}) = sup bj 1b 


Cc, Ca; 


for r € ci. Let f € jey 5(Oa;, bj). We show that f € ô(Oa, b). Suppose we have 
two hyper-rectangles x,y € Oa with z N y = Ý. Let the points p € x and q € y 
be such that ||p — ql|| is the minimum distance between x and y. Then [p,q] is 
partitioned by the crescents c;, i € J, into a finite number of one-dimensional 
intervals such that the one-dimensional interior of each is contained in c; for 
some į € I. Let ro,71,...,T, E R” be the boundary points of these intervals 
ordered from p to q. Then, using the continuity of f , we have: 


Far fUr E sup bj: Uri} dreh) Eb: Uriel dreh) 


(rtrt+1)CCj 


for 0 < t < n — 1. Since x € La, there exists j € J with x € Laj. Moreover, 
x C aj iff ro € Gj. Similarly, y C aj iff rg € aj. From these relations, we obtain: 


f(x) — F({ro}) € ar bj -(a@—{ro}), FUre}) — fly) S n bj: ({re} =y) 
Thus, 
f(@)-F(y) = Fle) = Ffro}) + EArt) = — Fred) + FU re}) — FY) 
co-(e= (Y dn- st») - y) =b- (x — y) m 


Definition 3. The derivative of a Scott continuous map f : IU C IR” — IR is 
the map: 


Lf= sup bXoa : IU —> C(R”) 
f€o(Oa,b) 


where U is a conver open subset of R”. 


Theorem 1. (i) Lf is well-defined and Scott continuous. 
(ii) f € 6(Qa, b) iff byxoa E Lf. 


Proof. (i) Let the indexing set J be defined by j € J = > f € ô(Oa;,b;), 
then f € Mjes ô(Oaj, bj). Thus, by Proposition 3 (bjXDa;)jez is consistent 
therefore, Lf = sup fes(Oa,b) OXOa exists and is Scott continuous. 

(ii) If f € ô(Oa,b) then clearly byoma E Lf. Now take a’ < a and b < b. 
Then vx a’ Z bXOa E Lf and hers exists a finite indexing set J such that 
b'XOa E supjesbjXOa, and f € 6(Oa;,b;) for j € J. Now by Proposition 

4, we shave Mjes 9(Oa;, bj) C 6(Oa’, b’), and thus, f € 6(Ca’, b’). From this, 

it follows that f € 6(Ha, b). a 
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If f: U C R” — R is a locally Lipschitz map, then the Clarke sub-gradient 
Lf : U — C(R”) extends, by Scott’s extension theory for densely injective 
spaces [24], to a Scott continuous map I(£f) : IU — C(R”). We then have: 


Proposition 5. 
LAF) = (Lf) 
Proof. This follows from the relation: 
f € 6(a,b) => If € 6(Ga, d), 
for all a € Q(U) and b € C(R”). a 


The following example shows that in the context of the L-derivative of interval 
functions, Clarke’s weak calculus no longer holds for Sum. 


Example 1. Let f,g : IR — IR defined by f(x) = x and g(x) = —zx, then 
Lf(x) = {1} and £Lg(x) = {—1} and thus Lf(x) + Lg(x) = {0}. On the other 
hand, (f + g)(x) = f(x) + g(x) = x — z and it follows that f + g ¢ 6(Ua, {0}), 
for any open set a C R, and consequently L(f +g) # {0}. Hence, L(f + g)(x) £ 
Lf(x) + Lg(@). 


We say an interval [r,r] is positive , respectively negative, if r~ > 0, respec- 
tively rt < 0. The above counter-example is the consequence of the fact that 
in interval arithmetic, while the relation (u + v)w C uw + vw always holds for 
u,v,w € IR, the converse relation (u + v)w D uw + vw may fail. However, if u 
and v are both positive or both negative then the converse also holds [21, p. 13]. 

We can obtain a weak calculus for sum and product of two functions f and g if 
we first use an operation that is routinely performed in interval analysis, namely 
to approximate the values £ f(x) and £g(x) with the smallest axes aligned hyper- 
rectangle containing it, and then assume that the two induced hyper-rectangles 
have the same sign in each of their components. We now formalise this procedure. 

Let H : C(R”) — IR” be the map that takes every convex compact set 
to the smallest axes aligned hyper-rectangle containing it. Then, it is easy to 
check that H is Scott continuous. Let m; : R” — R be the projection of the ith 
coordinate and extend it pointwise to its maximal extension Ir; : IR” — IR. 
Define the predicate Sgn C (IR”)? by (x,y) € Sgn if for each i = 1,...,n the 
two intervals Ir;(x) and Ir;(y) are either both positive or both negative. 

Suppose x,y,z € IR” and (y,z) E€ Sgn, then the interval I7;(y)Im;(z) is 
positive for each i = 1...,n and we have z(y + z) = xy + zz. In fact, 


Inj (x) (Imi(y) + In; (z)) = In; (x) In; (y) + Ini (x)I7;(z), 


and hence: 


u(y +z) -5 In;(x)(In;(y) + Ir;(z -5 In;(x)Im;(y) + In; (x)I7;(z) 


= -5 In;(x)Ir;(y + Inj(x)In;(z) = cy + xz 
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Proposition 6. Suppose f,g : IU C IR” — IR are locally Lipschitz functions 
and x € IU is such that (H(Lf(«x)), H(Lg(x))) € Sgn. Then: 


1. 
A(Lf(x)) + H(Lg(x)) 2 H(L(F + g)(2)) 


2. If, in addition, (f(x), g(x)) € Sgn, then we also have: 


f(@)H(Lo(a)) + (2) H(LF(x)) 2 A(L(f9)(#)) 


We will provide the proof for a weak form of the chain rule, which is more involved 
compared to sum and product. First consider the extended scalar multiplication 
M : C(R”) x IRt — C(R”), where Rt is the set of non-negative reals, with 
M(b,x) = {ur : u € b,r € x}. Then, M is well-defined and Scott continuous. 
For ease of presentation, we write M(b, x) = ba. 


Proposition 7. If g : IU, C IR” — IR and f : IU. C IR > IR and Im(g) C 
IU, with (Lf)(g(x)) € IR™, are Scott-continuous, then: 


(Lf) © g)(a)Lg(x) 2 L( f° g)(@) 


3 Lipschitzian Approximable Mapping 


Recall that, since IR", C(R”) and R” are stably locally compact space and 
the category of stably locally compact spaces with continuous functions and 
the category of semi-strong proximity lattice with approximable mappings are 
equivalent, any continuous function f : IU C IR” — IR defines an approximable 
mapping Ay : Bry > Bir by OaAsOa’ — > Oa « f~'(Oa’). On the other hand 
any approximable mapping with type R : Byrn — Bp, where D is either IR or 
IR” or C(R”), gives us a continuous function Gp : IR" —> D. 


Lemma 1. Let f : IU C IR” — IR be a Scott continuous function such that 
f({x}) is singleton for all x € U. Suppose ay is an open hyper-rectangle in U 
and ag is an open interval. If f: U C R” — R is the induced function with 


FAT} = {f(w)} then: 


ay < f (Oaz) > a1 « fo* (a2) a, Ay Daz = ay AF a2 


Recall the definition of the predicate Sep C BR x Br from Subsect. 1.3. 


Definition 4. We say an approximable mapping R : Biy — Brr, where U C R” 
is a convex open set, has Lipschitzian constant O in Oa, with O € B®, and 
a E€ T (U), if: 


Vaı,a2 € T(U).a1,a2 < a& (a1,a2) € Sep Ja}, a% € Br. 


a, ROa;, Oaz ROa, & a — ay < O- (ai — a2), 


and we say R is Lipschitzian in Ua. The set of all approrimable mappings with 
the above property is denoted by A(Oa,O), called the knot of Oa and O. 
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Note that, by Proposition 1, the last formula in Definition 4 is equivalent to 
a, — Ua < OO- (Oa; — az). Given this equivalence, it is simpler to use the 
formula without the modal operator [O as we have done in this definition. By 
Proposition 1 and Stone duality, we have: 


Proposition 8. Suppose f : IU — IR is a Scott continuous function such that 
f({x}) is singleton for every x € U. Then we have: Ay € A(a,O) if Ay € 
A(Qa, O). 


From A(Ha, O), a Lipschitz property of Gr can be deduced as follows. 


Proposition 9. If R: Biy — Brr is an approzimable mapping such that R € 
A(Qa, O) then: 


Va,y € Da.£ Ny = Ý > Gr(x) — Gr(y) CO: (x-y) 


Proof. Let x,y € Oa and x N y = Ø, then consider a1,a2 E€ T(U) such that 
(a1, a2) E Sep and x € Oa, y € Hag. Hence, there exist a},a, € Bp such that 
ai ROa‘,i = 1,2 and: 


a, — ay < O- (a, — a2) 


By Stone duality we have R = Rep. Hence Oa; < GR (Oa), i = 1,2, and thus:, 


Gr(x) — Gr(y) C O- (ay — a2). 


Since this holds for all sufficiently small a; and ag that contain x and y respec- 
tively, we obtain: Gr(x) — Gr(y) C O- (x — y). a 


Corollary 3. If R€ A(Ha,O) then Gr € 6(Ha, O). 


Thus, if A, is a Lipschitzian approximable mapping of type Bry — Brr then 
f is a Lipschitz function of type IU — IR and hence f({x}) is a singleton for 
every x € U and the induced function f : U —> R is also Lipschitz. 

Now we are in a position to obtain duality results similar to those in [13] for 
functions of type IU C IR” — IR. 


Proposition 10. Let f € 6(Ha,b) then for every ao E T such that ap < a and 
every O € Ban such that b C O we have Af € A(Oao, O). 


Proof. Suppose ag < a. Let a1,a2 € T(U) with (a1,a2) € Sep and a1,a2 < ao. 
Then, since @, @ € IU, from definition of the tie ô(Oa, b), we have, 


f(@) — f(@) C b- (@-@) 
C O- (ay — ag). 


Since f(a), f(@) € IR are compact, there exist open hyper-rectangles aj}, a € 
Br such that f(@) C ai, i = 1,2, and a — ay < O- (a; — a2). This implies 


Ags € A(Uap, O). E 
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Example 2. Let f : IR — IR be given by: 
f([x1, £2) = [£1 — (x2 — x1), t2 + (x2 — 21) 


for 6 > 0. The restriction f of f to the maximal elements of IR is the identity 
function of type Î = Id : R —> R. Since IId ¥ f, the map f is not the maximal 
extension of the identity map Id. On the other hand, Aş : Bir — Brr satisfies 
Ay € A(OR, O) iff (1 — ô, 1 +8) C O. However, A € A(R, O) iff 1 € O. 


The following two propositions represent a domain isomorphism between 
the function space (IU — C(R”)) and the domain of approximable mappings 
(Biu — Boyer) ordered by inclusion. 


Proposition 11. 1. For fi, fg: IU — C(R”) we have: 


fi © fo — > Ap, C Ap, 
2. For Ry, Ro: Briu > Bco») we have: 


Ri C Ro 4> GR, E GR, 


Proposition 12. 1. If (fi)ier is a directed set in IU — C(R"), with supremum 
f = SUP;eI lis then User Af, = Aş in App( Biu, Berr)). 

2. If (Ri)ier is a directed set in App(Brv,Bern)) then supicer GR; = Gr in 
(IU — C(R”)) where R = sup;ez Ri. 


Definition 5. If a is an open hyper-rectangle and O is a basic convex open 
set then the single-step approximable mapping 7(Qa,0) is defined as 7(Oa,0) = 
AGy a : Bry = Borr). 


For defining the Lipschitzian derivative of an approximable mapping we first 
need to define the notions of a strong tie and a strong knot. 


Definition 6. We say f : IU — IR has a strong set-valued Lipschitz constant 
b € C(R”) in Oa, fora € T(U), denoted by f € 6,(Ha, b), if there exist a’ < a 
and b € C(R”) with b Kcr») b such that f € 6(Oa’,b’). We call ôs (Oa, b) the 
strong single-tie of Oa with b. 


From general results about single-step functions, [16] we know that if byga & 
Lf, then for every x € Oa we have b « Lf (x), and hence, Lf (x) €fb. This means 
Lf (Ga) CÎ b. Moreover Oa « (Lf)~1(f b). 

Similar to Proposition VII.3 in [13] and its corollary, we have: 


Proposition 13. If f : IU — IR is locally Lipschitz, then: 


f €6;(Ola, b) => byta « Lf 


Lf = sup{bXDa : bxOa K Lf} = sup{byoa : f € 6s(Ha, b)} 


Differential Calculus with Imprecise Input and Its Logical Framework 473 


Definition 7. We say an approximable mapping R : Biy — Brg has strong 
Lipschitz constant O in Oa, for O € BR, and a € T(U), denoted by R € 
A,(Ua,O), if there exist a’ € T(U) with a <a’ and O' € BR, with O' < O such 
that R € A(Ua’,O’). 


Proposition 14. 1. If f € 6s(Hla,b) then for all O € B8,, with b C O we have 
Af € A,(Ha, O). 
2. If Aş € As(Oa,O) then there exists bC O such that f € ôs (Oa, b). 


Proof. 1. Let f € ôs(Oa,b) and b C O, then there exists a’ € 7 (U) with a < a’ 
and b’ with b & Db’ such that f € 6(Ha’,b’). By the interpolation property of 
< there exists a9 with a < ag < a’ and Og with b C Oo < O. By Proposition 
10 we have Ay € A(Hap, Oo) and thus Ay € A. (Oa, O). 

2. Let Aş € As (Oa, O) then by the definition of strong knot there exists a’ with 
a <a’ and O’ with O’ < O such that Ay € A(Ha’,O’). By Corollary 3, f € 

6(Oa’, O’). By the interpolation property, there exists O” with, O’ < O” < O. 

Let b! = O’ and b= O” then b < b' and f € 6(Ha’,b’). Hence, f € 6,(Ha, b). 

| 


Finally, we obtain the duality between strong ties and strong knots extending 
the main result in [13] to functions with interval input and output. 


Corollary 4. We have R € A,(OHa,O) iff Gr € ôs(Oa, O). Dually, we have 
f € 6,(Qa, b) iff Ay € A. (Oa, b°). 


Definition 8. Let R: Bry — Brr be a Lipschitzian approzimable mapping. The 
Lipschitzian derivative of R is defied as: 


L(R) = sup{n(Ga,o) : R € A. (Oa, O)} 


which is of type Bry > Bcr»). 


The following theorem extends Theorem VII.12 in [13] to functions with 
interval input and output. 


Theorem 2. The Lipschitzian derivative of a Lipschitzian approzimable map- 
ping R: Bry —> Brr is an approximable mapping and we have: L(R) = Acap. 


4 Conclusion 


We have developed a notion of sub-differentiation for Scott continuous maps 
which take hyper-rectangles in a finite dimensional Euclidean spaces to compact 
real intervals and is itself a Scott continuous map. This extends the domain of 
application of Interval Analysis to the classical derivative. It also extends Clarke’s 
theory and that of the L-derivative to functions with imprecise input/output as 
one encounters in interval analysis and exact real number computation. The 
classical Clarke operator commutes with the extension operator that extends a 
non-empty convex and compact valued map of a finite dimensional Euclidean 
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spaces to the space of the hyper-rectangles of the Euclidean space. We have 
derived a calculus for sub-differentiation of interval maps which is weaker than 
the corresponding Clarkes calculus for point maps. A Stone duality framework 
for sub-differentiation of interval maps is also constructed which allows for a pro- 
gram logic view of sub-differentiation. We envisage several areas for immediate 
further work, namely an implementation of this work in Haskell, an implemen- 
tation in a theorem prover such as Coq and a derivation of a weak calculus for 
constructors of approximable mappings which would match the calculus for the 
interval functions. 


References 


1. Haskell Implementation of IC-Reals for Exact Real Computation. Imperial College 
London. http://www.doc.ic.ac.uk/exact-computation/Haskell 

2. Abramsky, S., Jung, A.: Domain theory. In: Abramsky, S., Gabbay, D.M., 
Maibaum, T.S.E. (eds.) Handbook of Logic in Computer Science, vol. 3. Clarendon, 
Oxford (1994) 

3. Bauer, A., Escardé, M.H., Simpson, A.: Comparing functional paradigms for exact 
real-number computation. In: Widmayer, P., Eidenbenz, S., Triguero, F., Morales, 
R., Conejo, R., Hennessy, M. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 488-500. 
Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45465-9_42 

4. Clarke, F.H.: Optimization and Nonsmooth Analysis. Wiley, New York (1983) 

5. Di Gianantonio, P.: A functional approach to real number computation. Ph.D. 
thesis, University of Pisa (1993) 

6. Di Gianantonio, P.: Real number computability and domain theory. Inf. Comput. 
127(1), 11-25 (1996) 

7. Di Gianantonio, P., Edalat, A.: A language for differentiable functions. In: Pro- 
ceedings of the 16th International Conference on Foundations of Software Science 
and Computation Structures (FoSSaCS) (2013) 

8. Edalat, A.: A continuous derivative for real-valued functions. In: Cooper, S.B., 
Lowe, B., Sorbi, A. (eds.) CiE 2007. LNCS, vol. 4497, pp. 248-257. Springer, 
Heidelberg (2007). https://doi.org/10.1007/978-3-540-73001-9_26 

9. Edalat, A., Escardó, M.: Integration in real PCF. In: Eleventh Annual IEEE Sym- 
posium on Logic in Computer Science (LICS). IEEE (1996) 

10. Edalat, A., Heckmann, R.: Computing with real numbers. In: Barthe, G., Dybjer, 
P., Pinto, L., Saraiva, J. (eds.) APPSEM 2000. LNCS, vol. 2395, pp. 193-267. 
Springer, Heidelberg (2002). https: //doi.org/10.1007/3-540-45699-6_5 

11. Edalat, A., Lieutier, A.: Domain theory and differential calculus (functions of one 
variable). In: LICS. IEEE (2002). www.doc.ic.ac.uk/~ae/papers/diffcal.ps. Full 
paper to appear in MSCS 

12. Edalat, A., Lieutier, A.: Foundation of a computable solid modelling. Theoret. 
Comput. Sci. 284(2), 319-345 (2002) 

13. Edalat, A., Maleki, M.: Differentiation in logical form. In: Proceedings of 32th 
ACM/IEEE Symposium on Logic in Computer Science (LICS 2017). ACM/IEEE 
(2017) 

14. Edalat, A., Potts, P.J.: A new representation for exact real numbers. In: Pro- 
ceedings of Mathematical Foundations of Programming Semantics 13, Electronic 
Notes in Theoretical Computer Science, vol. 6. Elsevier Science B.V. (1997). www. 
elsevier.nl/locate/entcs/volume6.html 


15. 


16. 


17. 


18. 


19. 


20. 


21. 
22. 


23. 


24. 


25. 
26. 


27. 


Differential Calculus with Imprecise Input and Its Logical Framework 475 


Edalat, A., Potts, P.J., Sünderhauf, P.: Lazy computation with exact real num- 
bers. In: Proceedings of the Third ACM SIGPLAN International Conference on 
Functional Programming, pp. 185-194. ACM (1998) 

Erker, T., Escardó, M., Keimel, K.: The way-below relation of function spaces over 
semantic domains. Topol. Appl. 89(1-2), 61-74 (1998) 

Escardé, M.H.: PCF extended with real numbers. Theor. Comput. Sci. 162(1), 
79-115 (1996) 

Gierz, G., Hofmann, K.H., Keimel, K., Lawson, J.D., Mislove, M., Scott, D.S.: 
Continuous Lattices and Domains. Cambridge University Press, Cambridge (2003) 
Jung, A., Stinderhauf, P.: On the duality of compact vs. open. Ann. New York 
Acad. Sci. 806(1), 214-230 (1996) 

Moore, R., Kearfott, R., Cloud, M.: Introduction to Interval Analysis. Society for 
Industrial and Applied Mathematics, Philadelphia (2009) 

Moore, R.E.: Interval Analysis. Prentice-Hall, Englewood Cliffs (1966) 

Potts, P.J., Edalat, A., Escardé, M.: Semantics of exact real arithmetic. In: Twelfth 
Annual IEEE Symposium on Logic in Computer Science. IEEE (1997) 

Pour-El, M.B., Richards, J.I.: Computability in Analysis and Physics. Springer, 
New York (1988) 

Scott, D.S.: Continuous lattices. In: Lawvere, F.W. (ed.) Toposes, Algebraic Geom- 
etry and Logic. LNM, vol. 274, pp. 97-136. Springer, Heidelberg (1972). https:// 
doi.org/10.1007/BFb0073967 

Smyth, M.B.: Effectively given domains. Theor. Comput. Sci. 5, 257-274 (1977) 
Vickers, S.J.: Geometric logic in computer science. In: Burn, G.L., Gay, S.J., Ryan, 
M.D. (eds.) Theory and Formal Methods, pp. 37-54. Springer, Heidelberg (1993). 
https: //doi.org/10.1007/978-1-4471-3503-6_4 

Weihrauch, K.: Computable Analysis (An Introduction). Springer, Heidelberg 
(2000). https: //doi.org/10.1007/978-3-642-56999-9 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), 
which permits use, sharing, adaptation, distribution and reproduction in any medium 
or format, as long as you give appropriate credit to the original author(s) and the 
source, provide a link to the Creative Commons license and indicate if changes were 
made. 


The images or other third party material in this chapter are included in the chapter’s 


Creative Commons license, unless indicated otherwise in a credit line to the material. If 
material is not included in the chapter’s Creative Commons license and your intended 
use is not permitted by statutory regulation or exceeds the permitted use, you will 
need to obtain permission directly from the copyright holder. 


®) 


Check for 
updates 


The Effects of Adding Reachability 
Predicates in Propositional 
Separation Logic 


Stéphane Demri!, Etienne Lozes?, and Alessio Mansutti!®) 
1 LSV, CNRS, ENS Paris-Saclay, Université Paris-Saclay, Cachan, France 
alessio.mansutti@lsv.fr 
2 138, Université Cote d’Azur, Nice, France 


Abstract. The list segment predicate 1s used in separation logic for 
verifying programs with pointers is well-suited to express properties on 
singly-linked lists. We study the effects of adding 1s to the full proposi- 
tional separation logic with the separating conjunction and implication, 
which is motivated by the recent design of new fragments in which all 
these ingredients are used indifferently and verification tools start to 
handle the magic wand connective. This is a very natural extension that 
has not been studied so far. We show that the restriction without the 
separating implication can be solved in polynomial space by using an 
appropriate abstraction for memory states whereas the full extension is 
shown undecidable by reduction from first-order separation logic. Many 
variants of the logic and fragments are also investigated from the com- 
putational point of view when 1s is added, providing numerous results 
about adding reachability predicates to propositional separation logic. 


1 Introduction 


Separation logic [20,25,28] is a well-known assertion logic for reasoning about 
programs with dynamic data structures. Since the implementation of Small- 
foot and the evidence that the method is scalable [3,33], many tools supporting 
separation logic as an assertion language have been developed [3,8,9, 16, 17,33]. 
Even though the first tools could handle relatively limited fragments of sep- 
aration logic, like symbolic heaps, there is a growing interest and demand to 
consider extensions with richer expressive power. We can point out three partic- 
ular extensions of symbolic heaps (without list predicates) that have been proved 
decidable. 


— Symbolic heaps with generalised inductive predicates, adding a fixpoint com- 
binator to the language, is a convenient logic for specifying data structures 
that are more advanced than lists or trees. The entailment problem is known 
to be decidable by means of tree automata techniques for the bounded tree- 
width fragment [1,19], whereas satisfiability is ExPTIME-complete [6]. Other 
related results can be found in [21]. 
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— List-free symbolic heaps with all classical Boolean connectives ^ and 7 (and 
with the separating conjunction *), called herein SL(*), is a convenient exten- 
sion when combinations of results of various analysis need to be expressed, 
or when the analysis requires a complementation. This extension already is 
PSPACcE-complete [11]. 

— Propositional separation logic with separating implication, a.k.a. magic wand 
(=), is a convenient fragment (called herein SL(*, -*)) in which can be solved 
two problems of frame inference and abduction, that play an important role 
in static analysers and provers built on top of separation logic. SL(*, -*) can 
be decided in PSPACE thanks to a small model property [32]. 


A natural question is how to combine these extensions, and which separa- 
tion logic fragment that allows Boolean connectives, magic wand and generalised 
recursive predicates can be decided with some adequate restrictions. As already 
advocated in [7,18,24,29,31], dealing with the separating implication — is a 
desirable feature for program verification and several semi-automated or auto- 
mated verification tools support it in some way, see e.g. [18,24,29,31]. 


Our Contribution. In this paper, we address the question of combining magic 
wand and inductive predicates in the extremely limited case where the only 
inductive predicate is the gentle list segment predicate 1s. So the starting point 
of this work is this puzzling question: what is the complexity/decidability sta- 
tus of propositional separation logic SL(*, =) enriched with the list segment 
predicate 1s (herein called SL(*, -*,1s))? More precisely, we study the decidabil- 
ity/complexity status of extensions of propositional separation logic SL(*, -*) by 
adding one of the reachability predicates among 1s (precise predicate as usual 
in separation logic), reach (existence of a path, possibly empty) and reacht 
(existence of a non-empty path). 

First, we establish that the satisfiability problem for the propositional sep- 
aration logic SL(*, -*,1s) is undecidable. Our proof is by reduction from the 
undecidability of first-order separation logic [5,14], using an encoding of the 
variables as heap cells (see Theorem1). As a consequence, we also establish 
that SL(*, x, 1s) is not finitely axiomatisable. Moreover, our reduction requires 
a rather limited expressive power of the list segment predicate, and we can 
strengthen our undecidability results to some fragments of SL(*,-*,1s). For 
instance, surprisingly, the extension of SL(*,-*) with the atomic formulae of the 
form reach(x,y) = 2 and reach(x, y) = 3 (existence of a path between x and 
y of respective length 2 or 3) is already undecidable, whereas the satisfiability 
problem for SL(x, =, reach(x, y) = 2) is known to be in PSPACE [15]. 

Second, we show that the satisfiability problem for SL(*, reacht) is PSPACE- 
complete, extending the well-known result on SL(*). The PSPACE upper bound 
relies on a small heap property based on the techniques of test formulae, see 
e.g. [4,15, 22,23], and the PSPACE-hardness of SL(*) is inherited from [11]. The 
PSPACE upper bound can be extended to the fragment of SL(x,—x, reacht) 
made of Boolean combinations of formulae from SL(*,reacht) U SL(x, >*) 
(see the developments in Sect. 4). Even better, we show that the fragment of 
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SL(*, =, reacht) in which reacht is not in the scope of -* is decidable. As far 
as we know, this is the largest fragment including full Boolean expressivity, — 
and 1s for which decidability is established. 


2 Preliminaries 


Let PVAR = {x,y,...} be a countably infinite set of program variables and 
LOC = {£o, €1, €2,...} be a countable infinite set of locations. A memory state 
is a pair (s, h) such that s : PVAR — LOC is a variable valuation (known as the 
store) and h : LOC —¢n LOC is a partial function with finite domain, known as 
the heap. We write dom(h) to denote its domain and ran(h) to denote its range. 
Given a heap h with dom(h) = {41,..., ln}, we also write {41 œ h(41),..., ln > 
h(ln)} to denote h. Each 4; + h(é;) is understood as a memory cell of h. 

As usual, the heaps hı and ho are said to be disjoint, written hy L ho, 
if dom(h,) N dom(hz) = Ø; when this holds, we write hı + hg to denote the 
heap corresponding to the disjoint union of the graphs of hi and he, hence 
dom(hy + h2) = dom(h1) W dom(hz). When the domains of hı and hg are not 
disjoint, the composition hı + h2 is not defined. Moreover, we write h’ E h 
to denote that dom(h’) C dom(h) and for all locations £ € dom(h’), we have 
h'(£) = h(£). The formulae g of the separation logic SL(*, -*,1s) and its atomic 
formulae m are built from m:=x=y | xy | 1s(x,y) | emp | T and 
pru=am | ay | pAgy | px | p= y, where x,y € PVAR (=, © and V 
are defined as usually). Models of the logic SL(x, -*,1s) are memory states and 
the satisfaction relation } is defined as follows (omitting standard clauses for 
a, A): 


(s,h) =x=y s(x) = s(y) 

(s, h) H emp <= dom(h)=9 

(s,h) Exc y <=> s(x) € dom(h) and A(s(x)) = s(y) 
(s,h) FH 1ls(x,y) <> either (dom(h) = Ø and s(x) = s(y)) or 


h= {bo k h, £4 => baseia byt => ln} with n > 1, 

blo = s(x), ln = s(y) and for all i Æ j € [0, n], 4: # 2; 
(s, h) E 1*2 <> there are hı and hg such that (hi Lhe, (hı + he) =h, 
(s, hı) = pı and (s, h2) E y2) 

(s, h) Evi >~ p2 <> Vhı if (hıLh and (s, h1) = y1) then (s, h + hi) E go. 


Note that the semantics for x, =, <, 1s and for all other ingredients is the 
usual one in separation logic and 1s is the precise list segment predicate. In 


the sequel, we use the following abbreviations: size > 0 *'T and for all 3 > 0, 
size > 6+1 Š (size > 3)*x7emp, size < 8 = (size > 6+1) and size = 8 5 
(size < 8) A (size > 8). Moreover, y1 © p2 = ~(yı = 72) (septraction 
connective), alloc(x) = (x > x)= L and x > y = (x > y) A size = 1. 


W.1.0.g., we can assume that LOC = N since none of the developments depend on 
the elements of LOC as the only predicate involving locations is the equality. We 
write SL(*, =) to denote the restriction of SL(*, =, 1s) without 1s. Similarly, we 
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write SL(*) to denote the restriction of SL(*, =) without -*. Given two formulae 
p,p" (possibly from different logical languages), we write y = y’ whenever for 
all (s,h), we have (s,h) = ¢ iff (s,h) H| vy’. When ọ = yy’, the formulae y and 
y’ are said to be equivalent. 


Variants with Other Reachability Predicates. We use two additional reachabil- 
ity predicates reach(x, y) and reach*(x, y) and we write SL(x, =, reach) (resp. 
SL(*, =, reach*)) to denote the variant of SL(*,-*,1s) in which 1s is replaced 
by reach (resp. by reacht). The relation f} is extended as follows: (s,h) - 
reach(x, y) holds when there is i > 0 such that h‘(s(x)) = s(y) (i functional com- 
position(s) of h is denoted by h’) and (s, h) H reacht (x,y) holds when there is 
i > 1 such that h*(s(x)) = s(y). As 1s(x, y) = reach(x, y) \7(7emp*reach(x, y)) 
and reach(x, y) = T *1s(x,y), the logics SL(x, -*, reach) and SL(*, =, 1s) have 
identical decidability status. As far as computational complexity is concerned, 
a similar analysis can be done as soon as *, ~, A and emp are parts of the 
fragments (the details are omitted here). Similarly, we have the equivalences: 
reach(x, y) = x = yVreach*(x, y) and 1s(x, y) = (x = yAemp)V (reacht (x, y) A 
—(emp * reacht (x, y))). So clearly, SL(*, reach) and SL(*, 1s) can be viewed as 
fragments of SL(*, reacht) and, SL(«*, =x, 1s) as a fragment of SL(x*, =, reach”). 
It is therefore stronger to establish decidability or complexity upper bounds with 
reach* and to show undecidability or complexity lower bounds with 1s or reach. 
Herein, we provide the optimal results. 


Decision Problems. Let £ be a logic defined above. As usual, the satisfiability 
problem for £ takes as input a formula y from £ and asks whether there is 
(s,h) such that (s,h) H} y. The validity problem is also defined as usual. The 
model-checking problem for £ takes as input a formula y from £, (s,h) and 
asks whether (s,h)  y (s is restricted to the variables occurring in y and h 
is encoded as a finite and functional graph). Unless otherwise specified, the size 
of a formula ọ is understood as its tree size, i.e. approximately its number of 
symbols. 

The main purpose of this paper is to study the decidability /complexity status 
of SL(*, =, 1s) and its fragments. 


3 Undecidability of SL(*, -*, 1s) 


In this section, we show that SL(«, -*,1s) has an undecidable satisfiability prob- 
lem even though it does not admit first-order quantification. 

Let SL(V,-*) be the first-order extension of SL(-*) obtained by adding the 
universal quantifier V. The formulae y of SL(V,-*) are built from m::=x=y | 
xcyandg:=7 | 7~ | yvy | y=yp | Vx y, where x,y E€ PVAR. Note 
that emp can be easily defined by V x, x’ a(x — x’). Models of the logic SL(V, >) 
are memory states and the satisfaction relation — is defined as for SL(-*) with 
the additional clause: 


(s,h) EVx y <=> for all £e LOC, we have (s[x — 4, h) H y. 
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Without any loss of generality, we can assume that the satisfiability [resp. valid- 
ity] problem for SL(V,-*) is defined by taking as inputs closed formulae (i.e. 
without free occurrences of the variables). 


Proposition 1. /5,14] The satisfiability problem for SL(V,-*) is undecidable 
and the set of valid formulae for SL(V,-*) is not recursively enumerable. 


In a nutshell, we establish the undecidability of SL(*, -*,1s) by reduction from 
the satisfiability problem for SL(V,-*). The reduction is nicely decomposed in 
two intermediate steps: (1) the undecidability of SL(*, =) extended with a few 
atomic predicates, to be defined soon, and (2) a tour de force resulting in the 
encoding of these atomic predicates in SL(*, =, 1s). 


3.1 Encoding Quantified Variables as Cells in the Heap 


In this section, we assume for a moment that we can express three atomic pred- 
icates alloc” '(x), n(x) = n(y) and n(x) => n(y), that will be used in the 
translation and have the following semantics: 


)= alloc~!(x) holds whenever s(x) € ran(h), 
— (s, h) n(x) = n(y) holds iff {s(x), s(y)} C dom(h) and h(s(x)) = M 


(y)), 
— (s,h) = n(x) n(y) holds iff {s(x), s(y)} C dom(h) and h?(s(x)) = h(s 


(s(y))- 


Let us first intuitively explain how the two last predicates will help encoding 
SL(V,-*). By definition, the satisfaction of the quantified formula Vx w from 
SL(V,-*) requires the satisfaction of the formula w for all the values in LOC 
assigned to x. The principle of the encoding is to use a set L of locations initially 
not in the domain or range of the heap to mimic the store by modifying how 
they are allocated. In this way, a variable will be interpreted by a location in the 
heap and, instead of checking whenever x —> y (or x = y) holds, we will check 
if n(x) — n(y) (or n(x) = n(y)) holds, where x and y correspond, after the 
translation, to the locations in L that mimic the store for those variables. Let X 
be the set of variables needed for the translation. In order to properly encode the 
store, each location in L only mimics exactly one variable, i.e. there is a bijection 
between X and L, and cannot be reached by any location. As such, the formula 
Vx w will be encoded by the formula (alloc(x) A size = 1) -«(OK(X) => T(4)), 
where OK(X) (formally defined below) checks whenever the locations in L still 
satisfy the auxiliary conditions just described, whereas T(q) is the translation 
of Y. 

Unfortunately, the formula a -«wW2 cannot simply be translated into T (%1) — 
(OK(X) => T(w2)) because the evaluation of T(4%1) in a disjoint heap may need 
the values of free variables occurring in ~, but our encoding of the variable 
valuations via the heap does not allow to preserve these values through disjoint 
heaps. In order to solve this problem, for each variable x in the formula, X will 
contain an auxiliary variable x, or alternatively we define on X an involution G): 
If the translated formula has q variables then the set X of variables needed for 
the translation will have cardinality 2q. In the translation of a formula whose 
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outermost connective is the magic wand, the locations corresponding to variables 
of the form X will be allocated on the left side of the magic wand, and checked 
to be equal to their non-bar versions on the right side of the magic wand. As 
such, the left side of the magic wand will be translated into 


CA alloc(z ^ (N 7alloc(z)) JA OK(Z) A T(y)lz — Z| z € X]), 
zEZ ZEX\Z 


where Z is the set of free variables in %1, whereas the right side will be 


(A n(z) = n(Z)) AOK(X = ((Aalloc(z) ) A size = card(Z)) * T(¢2))). 


ZEZ ZEZ 


The use of the separating conjunction before the formula T(w2) separates the 
memory cells corresponding to x from the rest of the heap. By doing this, we 
can reuse X whenever a magic wand appears in T(w2). 

For technical convenience, we consider a slight alternative for the semantics 
of the logics SL(V, -*) and SL(x*, -*,1s), which does not modify the notion of 
satisfiability /validity and such that the set of formulae and the definition of the 
satisfaction relation = remain unchanged. So far, the memory states are pairs 
of the form (s,h) with s : PVAR — LOC and h : LOC —¢, LOC for a fixed 
countably infinite set of locations LOC, say LOC = N. Alternatively, the models 
for SL(V, -*) and SL(«, -*,1s) can be defined as triples (LOC,, s1, h1) such that 
LOC, is a countable infinite set, sı : PVAR — LOC, and hı : LOC, —>fn 
LOC. As shown below, this does not change the notion of satisfiability and 
validity, but this generalisation will be handy in a few places. Most of the time, 
a generalised memory state (LOCi, s1, hı) shall be written (s1,h1) when no 
confusion is possible. 

Given a bijection f : LOC, — LOC, and a heap hı : LOC, —>fn LOC, 
equal to {41 +> hi(€1),...,ln + hi(€n)}, we write f(h1) to denote the heap 
ho : LOC, — fin LOC, with ho = {f(£1) b> f(hi(41)), e.g f(ln) b> f(hi(En))}. 


Definition 1. Let (LOCj,s1,h1) and (LOC2,s2,h2) be generalised memory 
states and X C PVAR. A partial isomorphism with respect to X from 
(LOC), s1,h1) to (LOCg, s2,h2) is a bijection f : LOC, — LOC2 such that 
ho = f(hi) and for all x € X, f(si(x)) = s2(x) (we write (LOC, s1, h1) Sx 
(LOCg, s2, h2)). 


A folklore result states that isomorphic memory states satisfy the same formulae 
since the logics SL(V, =), SL(x, =, 1s) can only perform equality tests. 


Lemma 1. Let (LOC, s81,h1) and (LOC2, s2,h2) be two generalised memory 
states such that (LOC1,s1,h1) ~x (LOC2,s2,h2), for some X C PVAR. 
(I) For all formulae p in SL(V,-*) whose free variables are among X, we 
have (LOC), s1,h1) = Y iff (LOC2,s2,h2) = p. (II) For all formulae p 
in SL(*,-*,1s) built on variables among X, we have (LOC), s1, hi) = 9 iff 
(LOCg, s2, h2) = gp. 
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As a direct consequence, satisfiability in SL(*,-*,1s) as defined in Sect. 2, is 
equivalent to satisfiability with generalised memory states, the same holds for 
SL(V, =). Next, we define the encoding of a generalised memory state. This can 
be seen as the semantical counterpart of the syntactical translation process and, 
as such, formalise the intuition of using part of a heap to mimic the store. 


Definition 2. Let X = {x1,...,Xaq}, Y C {x1,...,Xq} and, (LOC), s1, h1) and 
(LOCg, s2, h2) be two (generalised) memory states. We say that (LOC), s1, h1) ts 
encoded by (LOC2, s2, h2) w.r.t. X,Y, written (LOC, s1, h1) bY (LOC, s2, ha), 
if the following conditions hold: 


- LOC, = LOC, \ {s2(x) | x € X}, 


- for allx #y € X, 82(x) Æ s2(y), 
- ha = hı + {s2(x) > sı(x)| xE Y}. 


Notice that ho is equal to hı plus the heap {s2(x) + s(x) | x € Y} that 
encodes the store sı. The picture below presents a memory state (left) and its 
encoding (right), where Y = {x;, Xj, Xk}. From the encoding, we can retrieve 
the initial heap by removing the memory cells corresponding to x;, x; and xx. 
By way of example, the memory state on the left satisfies the formulae x; = xj, 
Xi — x, and x, — x; whereas its encoding satisfies the formulae n(x;) = n(x;), 
n(x;) > n(x) and n(xk) > n(x). 


Xi=Xj 


3.2 The Translation 


We are now ready to define the translation of a first-order formula in propo- 
sitional separation logic extended with the three predicates introduced at the 
beginning of the section. Let p be a closed formula of SL(V,-*) with quanti- 
fied variables {x1,..., xq}. W.lo.g., we can assume that distinct quantifications 


involve distinct variables. Moreover, let X = {x1,...,X2q} and (.) be the invo- 


lution on X such that for all i € [1, q] x; = xi+9- 


We write OK(X) to denote the formula (A, 2, x: # x;) A (A; malloc” *(x;)). 
The translation function T has two arguments: the formula in SL(V,-*) to be 
recursively translated and the total set of variables potentially appearing in the 
target formula (useful to check that OK(X) holds on every heap involved in the 
satisfaction of the translated formula). Let us come back to the definition of 
T(w, X) (homomorphic for Boolean connectives) with the assumption that the 
variables in % are among Xj, ..., Xq- 
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T(x; = xj, X) = n(xi) = n(x;) 
T(x; = xj, X) = n(xi)  n(x;) 
T(Yx; V, X) = (alloc(x;) A size = 1) = (OK(X) > T(y, X)) 


Lastly, the translation T(a = p2, X) is defined as 


(A alloc(Z A(A salloc(Z)) A OK(X) A T(41, X)[x — &])-* 
zEZ ZEX\Z 
(AN n(z) = n(2)) A OK(X)) = ((/\ alloc(2) A size = card(Z)) * T(b2, X))), 
zEZ ZEZ 
where Z C {x1,...,Xq} is the set of free variables in y1. 


Here is the main result of this section, which is essential for the correctness 
of Tsar(y), defined below. 


Lemma 2. Let X = {xX1,...,Xaq}, Y C {x1,...,X¢}, Y be a formula in 
SL(V,-*) with free variables among Y that does not contain any bound vari- 
able of © and (LOC,, s1,h1) bY (LOCg, s2, h2). We have (s1,h1) E w aff 
(so, h2) = TC, X). 


We define the translation Tgar(y) in SL(*, x, 1s) where T(y, X) is defined 
recursively. 


Tsar(y) = (N -alloc(x:)) A OK(X) A T(y, X). 
i€[1,2q] 


The first two conjuncts specify initial conditions, namely each variable y in X is 
interpreted by a location that is unallocated, it is not in the heap range and it is 
distinct from the interpretation of all other variables; in other words, the value 
for y is isolated. Similarly, let Tyvat(y) be the formula in SL(*, -*,1s) defined 
by ((Aiepr2q 7a110c(x:)) A OK(X)) = T(y, X). As a consequence of Lemma 2, 
p and Tgar(y) are shown equisatisfiable, whereas y and Tyar(y) are shown 
equivalid. 


Corollary 1. Let p be a closed formula in SL(V,-*) using quantified variables 
among {X1,...,Xq}. (I) p and Tgar(y) are equisatisfiable. (II) p and Tyat(¢) 
are equivalid. 


3.3 Expressing the Auxiliary Atomic Predicates 
To complete the reduction, we briefly explain how to express the formulae 


alloc” !(x), n(x) = n(y) and n(x) —> n(y) within SL(*, -*,1s). Let us intro- 
duce a few macros that shall be helpful. 
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— Given y in SL(*,-*,reacht) and y > 0, we write [p], to denote the for- 
mula (size = y \ vy) * T. It is easy to show that for any memory state (s, h), 
(s,h) E [y]y iff there is h’ E h such that card(dom(h’)) = y and (s,h’) E ». 

— We write reach(x,y) = y to denote the formula [1s(x,y)],, which is sat- 
isfied in any memory state (s,h) where h7(s(x)) = s(y). Lastly, we write 
reach(x,y) < 7 to denote the formula Vo<y<, reach(x, y) = y’. 


wa 


In order to define the existence of a predecessor (i.e. alloc~!(x)) in SL(*, =, 1s), 
we need to take advantage of an auxiliary variable y whose value is different from 
the one for x. Let alloc} +(x) be the formula 


xOxVyOxV [(alloc(y) An(y > x) A size = 1) æ reach(y,x) = 2]; 


Lemma 3. Let x,y € PVAR. (I) For all memory states (s,h) such that s(x) 4 
s(y), we have (s,h) = alloc +(x) iff s(x) € ran(h). (II) In the translation, 
alloc~!(x) can be replaced with allocz'(x). 


x 


As stated in Lemma 3(II), we can exploit the fact that in the translation of 
a formula with variables in {x1,...,x 7}, we use 2q variables that correspond 
to 2q distinguished locations in the heap in order to retain the soundness of 
the translation while using alloc (x) as alloc” '(x). Moreover, allocy!(x) 
allows to express in SL(*, =, 1s) whenever a location corresponding to a program 
variable reaches itself in exactly two steps (we use this property in the definition 
of n(x) = n(y)). We write x 7 x to denote the formula ~(x = x) A (x > y & 
y = x) A [alloc(x) A alloc; +(x) A (T = sreach(x,y) = 2)]2. For any memory 
state (s,h) such that s(x) # s(y), we have (s,h) = x =? x if and only if 


h?(s(x)) = s(x) and h(s(x)) 4 s(x). 
The predicate n(x) = n(y) can be defined in SL(x, -*,1s) as 


(x 4 y > [alloc(x) A alloc(y) A ((xSG yAyCy)V(iySCxXAXORX)V 
(A 72 => z')) A (T = a(reach(x, y) = 2 A reach(y,x) = 2))))]2) A alloc(x) 


z,2'€{x,y} 


Lemma 4. Let x,y € PVAR. For all memory states (s,h), we have (s,h) H 
n(x) = nly) iff h(s(x)) = h(s(y)). 


Similarly to alloc~+(x), we can show that n(x) —> n(y) is definable in 
SL(«, =, 1s) by using one additional variable z whose value is different from both 
x and y. Let p(x, y, z) be (n(x) = n(y) AE, (x, y, 2)) V(n(x) # nly) AGE (x,y) 
where y=, (x,y,z) is defined as 


(xS xAyCxV(yoCyAxCy)V(xCezAzoz) 
V [alloc(x) A nallocy'(x) A (T -* mreach(x,z) < 3)]2 
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whereas yÉ, (x,y) is defined as 


(x = yAalloc(y)) V (y = y A^ reach(x, y) = 2) V (y= xX AX E x)V 


[alloc(x) A alloc(y) A (A az © 2’) A mreach(x, y) < 3 


z,z/E {x,y} 
A ((size = 1 A alloc; '(y)) æ (reach(x, y) = 3 A y —? y))]3 


Lemma 5. Let x,y,z € PVAR. (I) For all memory states (s,h) such that 
a(x) # a(z) and a(y) # o(z), we have (sh) E os(x,y,2) if {e(x), 5(y)} C 
dom(h) and h(h(s(x))) = h(s(y)); (ZD In the translation, n(x) — n(y) can be 
replaced by pœ (x,y, X). 


As for alloc, (x), the properties of the translation imply the equivalence 
between n(x) — n(y) and pa (x,y,X) (as stated in Lemma 5(II)). By look- 
ing at the formulae herein defined, the predicate reach only appears bounded, 
i.e. in the form of reach(x, y) = 2 and reach(x,y) = 3. The three new pred- 
icates can therefore be defined in SL(*, -*) enriched with reach(x, y) = 2 and 


reach(x, y) = 3. 


3.4 Undecidability Results and Non-finite Axiomatization 


It is time to collect the fruits of all our efforts and to conclude this part about 
undecidability. As a direct consequence of Corollary 1 and the undecidability of 
SL(V, -*), here is one of the main results of the paper. 


Theorem 1. The satisfiability problem for SL(*, -*,1s) is undecidable. 


As a by-product, the set of valid formulae for SL(*,-*,1s) is not recursively 
enumerable. Indeed, suppose that the set of valid formulae for SL(x, =, 1s) were 
r.e., then one can enumerate the valid formulae of the form Tyay(y) as it is 
decidable in PTIME whether w in SL(x, =, 1s) is syntactically equal to Tvar (4) 
for some SL(V, =) formula y. This leads to a contradiction since this would allow 
the enumeration of valid formulae in SL(V, =). 

The essential ingredients to establish the undecidability of SL(*, -*,1s) are 
the fact that the following properties n(x) = n(y), n(x) — n(y) and alloc™!(x) 
are expressible in the logic. 


Corollary 2. SL(*,-*) augmented with built-in formulae of the form n(x) = 
n(y), n(x) — n(y) and alloc™!(x) (resp. of the form reach(x,y) = 2 and 
reach(x, y) = 3) admits an undecidable satisfiability problem. 


This is the addition of reach(x, y) = 3 that is crucial for undecidability since the 
satisfiability problem for SL(*, -*, reach(x, y) = 2) is in PSPACE [15]. Following 
a similar analysis, let SL1(V, *, x) be the restriction of SL(V, x, =) (i.e. SL(V, -*) 
plus *) to formulae of the form 3x; --- dxg y, where q > 1, the variables in ¢ are 
among {x1,...,X +41} and the only e variable in ọ is x441. The satisfia- 
bility problem for SL1(V, x, =) is PSPACE-complete [15]. Note that SL1(V, *, =) 
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can easily express n(x) = n(y) and alloc~!(x). The distance between the decid- 
ability for SL1(V, *, -*) and the undecidability for SL(*, =, 1s), is best witnessed 
by the corollary below, which solves an open problem [15, Sect. 6]. 


Corollary 3. SL1(V,*,-*) augmented with n(x) © nly) (resp. SL1(V,*,-*) 
augmented with 1s) admits an undecidable satisfiability problem. 


4 SL(*,reach*) and Other PSPACE Variants 


As already seen in Sect.2, SL(*,1s) can be understood as a fragment of 
SL(x, reach*). Below, we show that the satisfiability problem for SL(x, reach*) 
can be solved in polynomial space. Refining the arguments used in our proof, we 
also show the decidability of the fragment of SL(*,-*,reach*) where reach* is 
constrained not to occur in the scope of -*, i.e. p belongs to that fragment iff 
for any subformula w of y of the form Yı -* p2, reach* does not occur in Yı 
and in wo. 

The proof relies on a small heap property: a formula y is satisfiable if and only 
if it admits a model with a polynomial amount of memory cells. The PSPACE 
upper bound then follows by establishing that the model-checking problem for 
SL(x, reach*) is in PSPACE too. To establish the small heap property, an equiv- 
alence relation on memory states with finite index is designed, following the 
standard approach in [10,32] and using test formulae as in [4,15,22, 23]. 


4.1 Introduction to Test Formulae 


Before presenting the test formulae for SL(*x, reacht), let us recall the standard 
result for SL(*, =) (that will be also used at some point later on). 


Proposition 2. /22,32] Any formula p in SL(x,-*) built over variables in x1, 
. - -Xq 18 logically equivalent to a Boolean combination of formulae among x;=x;, 
alloc(x;), x; > x; and size > 6 (i,j € {1,...,q}, BEN). 


By way of example, (emp * ((x1 => x2)—> L )) is equivalent to size > 2 ^ 
alloc(xı). As a corollary of the proof of Proposition 2, in size > 3 we can 
enforce that 8 < 2 x |p| (rough upper bound) where |ẹ]| is the size of y. Similar 
results will be shown for SL(*,reach*) and for some of its extensions. 

In order to define a set of test formulae that captures the expressive power of 
SL(«*, reach*), we need to study which basic properties on memory states can be 
expressed by SL(*, reach*) formulae. For example, consider the memory states 
from Fig. 1. 

The fragment memory states (s1,h1) and (s2,h2) can be distinguished by the 
formula T * (reach(x;,x,;) A reach(x;,x,) ^ 7~reach(x,,x;)). Indeed, (s1, h1) 
satisfies this formula by considering a subheap that does not contain a path 
from s(x,) to s(x;), whereas it is impossible to find a subheap for (s2,h2) that 
retains the path from s(x;) to s(x,;), the one from s(x;) to s(x) but where the 
path from s(x,) to s(x;) is lost. This suggests that SL(*,reach*) can express 
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Xj 


Xk Xk - l s VA L z gv 
Fig. 1. Memory states (s1,h1),..., (s4, ha) (from left to right) 


whether, for example, any path from s(x;) to s(x;) also contains s(x). We will 
introduce the test formula sees,(x;,x;) > J to capture this property. 

Similarly, the memory states (s3,h3) and (s4,h4) can be distinguished by 
the formula (size = 1) x (reach(x;,x,) A 7reach(x;,x;,) ^ ~reach* (x; xx)). 
The memory state (s3, h3) satisfies this formula by separating {2 +> ¢’} from the 
rest of the heap, whereas the formula is not satisfied by (s4,h4). Indeed, there 
is no way to break the loop from s(x;) to itself by removing just one location 
from the heap while retaining the path from s(x,;) to s(x,) and loosing the path 
from s(x,;) to s(x). This suggests that the two locations £ and ¢’ are particularly 
interesting since they are reachable from several locations corresponding to pro- 
gram variables. Therefore by separating them from the rest of the heap, several 
paths are lost. In order to capture this, we introduce the notion of meet-points. 

Let Terms, be the set {x),...,Xg}U{mg(xi,x;) | i, j € [L,q]} understood as 
the set of terms that are either variables or expressions denoting a meet-point. 
We write EINS to denote s(x;) and [m,(x;,x,;)]4 p to denote (if it exists) the 
first location reachable from s(x;) that is also reachable from s(x,). Moreover we 
require that this location can reach another location corresponding to a program 
variable. Formally, [7m (x:, x;)]3. , is defined as the unique location £ such that 


— there are L1, Lz > 0 such that h”1(s(x;)) = h4?(s(x;)) = £, and 
— for all Li, < Lı and for all L} > 0, h”1(s(x:)) # ai (s(x;)), and 
— there exist k € [1,q] and L > 0 such that h* (£) = s(x;). 


These conditions hold for at most one location £. One can easily show that the 
notion [7m,q(x;,x;)]% ;, is well-defined. The picture below provides a taxonomy of 
meet-points, where arrows labelled by ‘+’ represent paths of non-zero length and 
zig-zag arrows any path (possibly of zero length). Symmetrical cases, obtained 
by swapping x; and x,, are omitted. 


Xi xj Xi Xj Xi Xi 


mMq(Xi,Xj) 
mMq(Xj,Xi) 


Xk + 
+ 
Xk Pre Mq(X;,Xi) 


x; not inside a loop Xk 


Ma(Xi,xj) 
Mq(Xj,xi) 


Xj 


Mq(Xi,X;) Mq(Xi,X;) 


Mq(X;,Xi) 
Xk 
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Notice how the asymmetrical definition of meet-points is captured in the two 
rightmost heaps. Consider the memory states from Fig. 1, (s3,h3) and (s4, h4) 
can be seen as an instance of the third case of the taxonomy and, as such, it 
holds that [mq(x:,x,)]%, n, =£ and [mq(x;,xi)]f, n = L- 

Given q,a > 1, we write Test(q,a) to denote the following set of atomic 
formulae (also called test formulae): 


v=v vov’ alloc(v) sees,(v,v')>G+1 sizeR, > £, 


where v,v’ € Terms, and 8 € [1, a]. It is worth noting that the alloc(v)’s are 
not needed for the logic SL(*, reacht) but it is required for extensions. 

We identify as special locations the s(x,;)’s and the meet-points of the form 
[mq(xi,x;)]%), when it exists (i, j € [1,q]). We call such locations, labelled loca- 
tions, and the set of labelled locations is written Labels? n- Lhe formal semantics 
of the test formulae is provided below: 


(s,h) Ev=v' <=> [vlin lv] n are defined, [vo]? p = [o'li n 

(s, h) H alloc(v) <> [olsa is defined and belongs to dom(h) 

(s, h) H v= v = hlola) = elsa 

(s,h) E sees,(v,v')>6+1 4> AL> B+1, h? (uJ? n) = [v], and 
YVO<L <L, h” elta) ¢ Labels{ ,, 

(s, h)  sizeR, > 8 <= card(Rem{,) > 6 


where Rem? sh 18 the set of locations that neither belong to a path between 
two locations interpreted by program variables nor are equal to program vari- 
able interpretations, i.e. Rem{ , = f e dom(h) | Vi € [lq], s(x) # £ 
and Vj € [1,q] BL, L’ > 1,h*(s(x;)) = l and h” (£) = s(x,)}. There is no need 
for test formulae of the form sees,(v,v’) > 1 since they are equivalent to v => 
v' V sees,(v,v’) > 2. One can check whether [m,(x;,x;)]{), is defined thanks to 
the formula m,(x;,x;) = ™q(x;,x;). By contrast, sizeR, > £ states that the 
cardinality of the set Rem? , is at least G. Furthermore, sees,(v,v’) > 6+1 
states that there is a minimal path between v and v’ of length at least G+ 1 
and strictly between v and v’, there are no labelled locations. The satisfaction 
of sees,(v,v’) > 6+ 1 entails the exclusion of labelled locations in the wit- 


ness path, which is reminiscent to T AT’, T in the logic GRASS [26]. So, the 


test formulae are quite expressive since they capture the atomic formulae from 
SL(*, reach*) and the test formulae for SL(x, =). 


Lemma 6. Given a,q > 1, i,j € [l,q], for any atomic formula among 
1s(x;,x;), reach(x;, xj), reacht(x,;,x,;), emp and size > p with B < a, there is 
a Boolean combination of test formulae from Test(q, a) logically equivalent to it. 


4.2 Expressive Power and Small Model Property 


The sets of test formulae Test(q,a) are sufficient to capture the expressive 
power of SL(*, reacht) (as shown below, Theorem 2) and deduce the small heap 
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property of this logic (Theorem 3). We introduce an indistinguishability rela- 
tion between memory states based on test formulae, see analogous relations 
n [13,15,22]. 


Definition 3. Given q,a > 1, we write (s,h) =4, (s',h') & for aly € 
Test(q,a), we have (s, h) Ew iff (s',h!) Ev. 


Theorem 2(I) states that if (s,h) #2 (s’,h’), then the two memory states 
cannot be distinguished by formulae whose syntactic resources are bounded in 
some way by q and a (details will follow, see the definition for msize(y)). 

Below, we state the key intermediate result of the section that can be viewed 
as a distributivity lemma. The expressive power of the test formulae allows us 
to mimic the ae between two equivalent memory states with respect to 
the relation ~2, which is essential in the proof of Theorem 2(1). 


we, 


Lerma 7. Let g,a,01,02 > 1 with a = aı +a2 and (s, h), (s’,h’) be such that 
(s,h) =4, (s',h’). For all heaps hı, hg such that h = hy + hg there are heaps hi, 
hi such “that h= hi +h, (s, h1) =4, (s', hi) and (s, ha) =4, (s, h3). 
For each formula y in SL(*,reach*), we define its memory size msize(y) 
following the clauses below (see also [32]). 
msize(r) = 1 for any atomic formula 7 


1 


msize(q * oF msize(y) + msize(z7") 


Y 
msize(y A Y) = max(msize(Y), msize(7’)) 


© msize(w). 


We have 1 < msize(y) < |y|. Theorem 2 below establishes the properties that 
formulae in SL(*,reach*) can express. 


Ke RS 
a 
ic) 
a 


msize(=w 


Theorem 2. Let y be in SL(*,reach*) built over the variables in x1, ..., Xq- 
(I) For alla > 1 such that msize(y) < a and for all memory states (s, h), (s’,h’) 
such that (s, h) x4, (s’,h’), we have (s,h) = y iff (s, R) H p. (ID p is logically 
equivalent to a Boolean combination of test formulae from Test(q, msize(p)). 


The proof of Theorem 2(I) is by structural induction on y. The basic cases for 
atomic formulae follow from Lemma 6 whereas the inductive cases for Boolean 
connectives are immediate. For the separating conjunction, suppose (s,h) = 
pı*p2 and msize(y1* pe) < a. There are heaps hı and hg such that h = hi +ho, 
(s, hi) — Yı and (s, h2) =| Y2. As a > msize(y * Y2) = msize(y ) +msize(w2), 
there exist a, and a2 such that a = a, + a2, ay > msize(w,) and ag > 
msize(7¢2). By Lemma 7, there exist heaps h} and h such that h’ = hi, + hh, 
(s, h1) ©, (s’, h1) and (s, h2) 4%, (s’, hy). By the induction hypothesis, we get 
(s’, hy) = v1 and (s’,h5) H| Y2. Consequently, we obtain (s’, h’) H Yı * we. 

As an example, we can apply this result to the memory states from Fig. 1. 
We have already shown how we can distinguish (s1,h;) from (s2,h2) using a 
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formula with only one separating conjunction. Theorem 2 ensures that these two 
memory states do not satisfy the same set of test formulae for a > 2. Indeed, only 
(s1, h1) satisfies sees,(x;,x;) > 2. The same argument can be used with (s3, ha) 
and (s4,h4): only (s3,h3) satisfies the test formula mg (xi,x;) © ™q(x;, Xi). 
Clearly, Theorem 2(II) relates separation logic with classical logic as advocated 
also in the works [10,23]. Now, it is possible to establish a small heap property. 


Theorem 3. Let y be a satisfiable SL(x, reacht) formula built over x1, ..., Xq- 
There is (s,h) such that (s,h) | y and card(dom(h)) < (q?+4q)-(\y| +1) +l¢l. 


The small heap property for SL(*,reach*) is inherited from the small heap 
property for the Boolean combinations of test formulae, which is analogous to 
the small model property for other theories of singly linked lists, see e.g. [13,27]. 


4.3 Complexity Upper Bounds 


Let us draw some consequences of Theorem 3. First, for the logic SL(*, reach”), 
we get a PSPACE upper, which matches the lower bound for SL(*) [11]. 


Theorem 4. The satisfiability problem for SL(*,reacht) is PSPACE-complete. 


Besides, we may consider restricting the usage of Boolean connectives. We 
note Bool(SHF) for the Boolean combinations of formulae from the symbolic heap 
fragment [2]. A PTIME upper bound for the entailment/satisfiability problem 
for the symbolic heap fragment is successfully solved in [12,17], whereas the 
satisfiability problem for a slight variant of Bool(SHF) is shown in NP in [26, 
Theorem 4]. Theorem 3 allows us to conclude this NP upper bound result as a 
by-product (we conjecture that our quadratic upper bound on the number of 
cells could be improved to a linear one in that case). 


Corollary 4. The satisfiability problem for Bool(SHF) is NP-complete. 


It is possible to push further the PSPACE upper bound by allowing occur- 
rences of — in a controlled way. Let SL(*, reacht, Uga Test(q, œ)) be the exten- 
sion of SL(*x, reacht) augmented with the test formulae. The memory size func- 
tion is also extended: msize(v => v’) = 1, msize(sees,(v,v’) > 6+1) = 8+1, 
msize(sizeR > 3) = 6 and msize(alloc(v)) = 1. When formulae are encoded 
as trees, we have 1 < msize(y) < |yla, where a, is the maximal constant 
in y. Theorem 2(I) admits a counterpart for SL(*,reach*,U, a Test(q,a)) and 
consequently, any formula built over xı, ..., Xq can be shown equivalent to a 
Boolean combination of test formulae from Test(q, |yla,). By Theorem 3, any 
satisfiable formula has therefore a model with card(dom(h)) < (q?+4q)-(|~lae+ 
1) + |pla,. Hence, the satisfiability problem for SL(*, reacht, U, œ Test(q, a)) 
is in PSPACE when the constants are encoded in unary. Now, we can state 
the new PSPACE upper bound for Boolean combinations of formulae from 
SL(x, =) USL(*, reach*). 


Theorem 5. The satisfiability problem for Boolean combinations of formulae 
from SL(x, =) USL(«*, reacht) is PSPACE-complete. 
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To conclude, let us introduce the largest fragment including -* and 1s for which 
decidability can be established so far. 


Theorem 6. The satisfiability problem for the fragment of SL(*,-*,reach*) in 
which reacht is not in the scope of -* is decidable. 


5 Conclusion 


We studied the effects of adding 1s to SL(x, =) and variants. SL(*, -*, 1s) is 
shown undecidable (Theorem 1) and non-finitely axiomatisable, which remains 
quite unexpected since there are no first-order quantifications. This result is 
strengthened to even weaker extensions of SL(*, =) such as the one augmented 
with n(x) = n(y), n(x) — n(y) and alloc™!(x), or the one augmented with 
reach(x, y) = 2 and reach(x,y) = 3. If the magic wand is discarded, we have 
established that the satisfiability problem for SL(*,1s) is PSPACE-complete 
by introducing a class of test formulae that captures the expressive power of 
SL(*,1s) and that leads to a small heap property. Such a logic contains the 
Boolean combinations of symbolic heaps and our proof technique allows us to 
get an NP upper bound for such formulae. Moreover, we show that the satis- 
fiability problem for SL(*,-*,reach*) restricted to formulae in which reacht 
is not in the scope of -* is decidable, leading to the largest known decidable 
fragment for which — and reacht (or 1s) cohabit. So, we have provided proof 
techniques to establish undecidability when *, =x and 1s are present and to 
establish decidability based on test formulae. This paves the way to investi- 
gate the decidability status of SL(-*,1s) as well as of the positive fragment of 
SL(*, @,1s) from [80,31]. 
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Abstract. The natural join and the inner union operations combine 
relations of a database. Tropashko and Spight [25] realized that these 
two operations are the meet and join operations in a class of lattices, 
known by now as the relational lattices. They proposed then lattice the- 
ory as an algebraic approach to the theory of databases, alternative to 
the relational algebra. 

Previous works [17,23] proved that the quasiequational theory of these 
lattices—that is, the set of definite Horn sentences valid in all the rela- 
tional lattices—is undecidable, even when the signature is restricted to 
the pure lattice signature. 

We prove here that the equational theory of relational lattices is decid- 
able. That, is we provide an algorithm to decide if two lattice theoretic 
terms t,s are made equal under all interpretations in some relational 
lattice. We achieve this goal by showing that if an inclusion t < s fails 
in any of these lattices, then it fails in a relational lattice whose size is 
bound by a triple exponential function of the sizes of t and s. 


1 Introduction 


The natural join and the inner union operations combine relations (i.e. tables) 
of a database. SQL-like languages construct queries by making repeated use of 
the natural join and of the union. The inner union is a mathematically well 
behaved variant of the union—for example, it does not introduce empty cells. 
Tropashko and Spight realized [25,26] that these two operations are the meet 
and join operations in a class of lattices, known by now as the class of relational 
lattices. They proposed then lattice theory as an algebraic approach, alternative 
to Codd’s relational algebra [4], to the theory of databases. 

Roughly speaking, elements of the relational lattice R(D, A) are tables of a 
database, where A is a set of columns’ names and D is the set of possible cells’ 
values. Let us illustrate the two operations with examples. The natural join takes 
two tables and constructs a new one whose columns are indexed by the union of 
the headers, and whose rows are glueings of the rows along identical values in 
common columns: 
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The inner union restricts two tables to the common columns and lists all 
the rows of the two tables. The following example suggests how to construct, 
using this operation, a table of users given two (or more) tables of people having 
different roles. 


User 


Reviewer 


Author Name Surname 
Name Surname Area _ 

Name Surname Conf U Luigi Santocanale 
Alan Turing CS 

Luigi Santocanale FOSSACS Alan Turing 
Kurt Gödel Logic 


Kurt Gödel 


Since we shall focus on lattice-theoretic considerations, we shall use the sym- 
bols A and V, in place of the symbols r< for U used by database theorists. 

A first important attempt to axiomatize these lattices was done by Litak 
et al. [17]. They proposed an axiomatization, comprising equations and 
quasiequations, in a signature that extends the pure lattice signature with a 
constant, the header constant. A main result of that paper is that the quasiequa- 
tional theory of relational lattices is undecidable in this extended signature. Their 
proof mimics Maddux’s proof that the equational theory of cylindric algebras of 
dimension n > 3 is undecidable [18]. 

Their result was further refined by us in [23]: the quasiequational theory 
of relational lattices is undecidable even when the signature considered is the 
least one, comprising only the meet (natural join) and the join operations (inner 
union). Our proof relied on a deeper algebraic insight: we proved that it is unde- 
cidable whether a finite subdirectly irreducible lattice can be embedded into a 
relational lattice—from this kind of result, undecidability of the quasiequational 
theory immediately follows. We proved the above statement by reducing to it 
an undecidable problem in modal logic, the coverability problem of a frame by a 
universal $5°-product frame [12]. In turn, this problem was shown to be unde- 
cidable by reducing it to the representability problem of finite simple relation 
algebras [11]. 

We prove here that the equational theory of relational lattices is decidable. 
That is, we prove that it is decidable whether two lattice terms t and s are such 
that [tle = [s]v, for any valuation v : X — R(D, A) of variables in a relational 
lattice R(D, A). We achieve this goal by showing that this theory has a kind of 
finite model property of bounded size. Out main result, Theorem 25, sounds as 
follows: if an inclusion t < s fails in a relational lattice R(D, A), then such 
inclusion fails in a finite lattice R(E, B), such that B is bound by an exponential 
function in the size of t and s, and E is linear in the size of t. It follows that 
the size of R(E, B) can be bound by a triple exponential function in the size of 
t and s. In algebraic terms, our finite model theorem can be stated by saying 
that the variety generated by the relational lattices is actually generated by its 
finite generators, the relational lattices that are finite. 
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In our opinion, our results are significant in two respects. Firstly, the alge- 
bra of the natural join and of the inner union has a direct connection to the 
widespread SQL-like languages, see e.g. [17]. We dare to say that most of pro- 
grammers that use a database—more or less explicitly, for example within server- 
side web programs—are using these operations. In view of the widespread use of 
these languages, the decidability status of this algebraic system deserved being 
settled. Moreover, we believe that the mathematical insights contained in our 
decidability proof shall contribute to understand further the algebraic system. 
For example, it is not known yet whether a complete finite axiomatic basis exists 
for relational lattices; finding it could eventually yield applications, e.g. on the 
side of automated optimization of queries. 

Secondly, our work exhibits the equational theory of relational lattices as a 
decidable one within a long list of undecidable logical theories [11, 12, 17,18, 23] 
that are used to model the constructions of relational algebra. We are exploring 
limits of decidability, a research direction widely explored in automata theoretic 
settings starting from [3]. We do this, within logic and with plenty of potential 
applications, coming from the undecidable side and crossing the border: after 
the quasiequational theory, undecidable, the next natural theory on the list, the 
equational theory of relational lattices, is decidable. 

On the technical side, our work relies on [22] where the duality theory for 
finite lattices developed in [21] was used to investigate equational axiomatiza- 
tions of relational lattices. A key insight from [22] is that relational lattices 
are, in some sense, duals of generalized ultrametric spaces over a powerset alge- 
bra. It is this perspective that made it possible to uncover the strong similarity 
between the lattice-theoretic methods and tools from modal logic—in particular 
the theory of combination of modal logics, see e.g. [15]. We exploit here this 
similarity to adapt filtrations techniques from modal logic [8] to lattice theory. 
Also, the notion of generalized ultrametric spaces over a powerset algebra and 
the characterization of injective objects in the category of these spaces have been 
fundamental tools to prove the undecidability of the quasiequational theory [23] 
as well as, in the present case, the decidability of the equational theory. 

The paper is organised as follows. We recall in Sect.2 some definitions and 
facts about lattices. The relational lattices R(D, A) are introduced in Sect. 3. 
In Sect. 4 we show how to construct a lattice L(X,6) from a generalized ultra- 
metric space (X, ô). This construction generalizes the construction of the lattice 
R(D, A): if X = D4 is the set of all functions from A to D and 6 is as a sort 
of Hamming distance, then L(X,6) = R(D, A). We use the functorial properties 
of L to argue that when a finite space (X, ô) has the property of being pairwise- 
complete, then L(X, 4) belongs to the variety generated by the relational lattices. 
In Sect. 5 we show that if an inclusion t < s fails in a lattice R(D, A), then we 
can construct a finite subset T(f,t) C D4, a “tableau” witnessing the failure, 
such that if T(f,¢) C T and T is finite, then t < s fails in a finite lattice of the 
form L(T, ôg), where the distance 6g takes values in a finite powerset algebra 
P(B). In Sect.6, we show how to extend T(f,t) to a finite bigger set G, so that 
(G, dg) as a space over the powerset algebra P(B) is pairwise-complete. This 
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lattice L(G, dg) fails the inclusion t < s; out of it, we build a lattice of the form 
R(E, B), which fails the same inclusion; the sizes of E and B can be bound 
by functions of the sizes of the terms t and s. Perspectives for future research 
directions appear in the last Sect. 7. 


2 Elementary Notions on Orders and Lattices 


We assume some basic knowledge of order and lattice theory as presented in 
standard monographs [5,9]. Most of the lattice theoretic tools we use originate 
from the monograph [7]. 

A lattice is a poset L such that every finite non-empty subset X C L admits 
a smallest upper bound V X and a greatest lower bound A X. A lattice can also 
be understood as a structure % for the functional signature (V, A), such that the 
interpretations of these two binary function symbols both give 2 the structure 
of an idempotent commutative semigroup, the two semigroup structures being 
connected by the absorption laws x A (y V x) = x and z V (yA a) = x. Once 
a lattice is presented as such structure, the order is recovered by stating that 
x < y holds if and only if x A y = zx. 

A lattice L is complete if any subset X C L admits a smallest upper bound 
V X. It can be shown that this condition implies that any subset X C L admits 
a greatest lower bound A X. A lattice is bounded if it has a least element L 
and a greatest element T. A complete lattice (in particular, a finite lattice) is 
bounded, since V Ø and A ĝ are, respectively, the least and greatest elements of 
the lattice. 

If P and Q are partially ordered sets, then a function f : P — Q is order- 
preserving (or monotone) if p < p' implies f(p) < f(p'). If L and M are lattices, 
then a function f : L — M is a lattice morphism if it preserves the lattice 
operations V and ^. A lattice morphism is always order-preserving. A lattice 
morphism f : L — M between bounded lattices L and M is bound-preserving if 
f(L) = L and f(T) = T. A function f : P > Q is said to be left adjoint to an 
order-preserving g : Q — P if f(p) < q holds if and only if p < g(q) holds, for 
every p € P and q € Q; such a left adjoint, when it exists, is unique. Dually, a 
function g : Q — P is said to be right adjoint to an order-preserving f : P — Q 
if f(p) < q holds if and only if p < g(q) holds; clearly, f is left adjoint to g if 
and only if g is right adjoint to f, so we say that f and g form an adjoint pair. If 
P and Q are complete lattices, the property of being a left adjoint (resp., right 
adjoint) to some g (resp., to some f) is equivalent to preserving all (possibly 
infinite) joins (resp., all meets). 

A Moore family on P(U) is a collection F of subsets of U which is closed under 
arbitrary intersections. Given a Moore family F on P(U), the correspondence 
sending Z C U to Z :=(\{Y € F | Z CY} is a closure operator on P(U), 
that is, an order-preserving inflationary and idempotent endofunction of P(U). 
The subsets in F, called the closed sets, are exactly the fixpoints of this closure 
operator. A Moore family F has the structure of a complete lattice where 


NX=Nx, Vx =x. (1) 
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The notion of Moore family can also be defined for an arbitrary complete 
lattice L. Moore families on L turns out to be in bijection with closure operators 
on L. We shall actually consider the dual notion: a dual Moore family on a com- 
plete lattice L is a subset F C L that is closed under arbitrary joins. Such an F 
determines an interior operator (an order-preserving decreasing and idempotent 
endofunction on L) by the formula x° = V{y € F | y < x} and has the struc- 
ture of a complete lattice, where V+ X := Vz; X and A,X := (Az X)°. Dual 
Moore families on L are in bijection with interior operators on L. Finally, let us 
mention that closure (resp., interior) operators arise from adjoint pairs f and g 
(with f left adjoint to g) by the formula % = g(f(x)) (resp., x° = f(g(x))); 


3 The Relational Lattices R(D, A) 


Throughout this paper we use the Y* for the set of functions of domain Y and 
codomain X. 

Let A be a collection of attributes (or column names) and let D be a set of 
cell values. A relation on A and D is a pair (a,T) where a C A and T C D*®. 
Elements of the relational lattice! R(D, A) are relations on A and D. Informally, 
a relation (a, T) represents a table of a relational database, with a being the 
header, i.e. the collection of names of columns, while T is the collection of rows. 

Before we define the natural join, the inner union operations, and the order 
on R(D, A), let us recall some key operations. If a C 3 C A and f € DË, then 
we shall use f[, € D® for the restriction of f to a; if T C DÊ, then T fe 
shall denote projection to a, that is, the direct image of T along restriction, 
Tla={fla| f eT}; if T C DY, then ig(T) shall denote cylindrification to 8, 
that is, the inverse image of restriction, ig(T) := { f € DP | fra € T}. Recall 
that ig is right adjoint to [,. With this in mind, the natural join and the inner 
union of relations are respectively described by the following formulas: 


(a1, T1) A (a2, T2) := (a1 U a2, T) 
where T = { f | fla, E€ Tii = 1,2} 
Steaua (11) taua (I2); 
(ai, T1) V (a2, T2) := (&ı N a2, T) 
where T = { f | di € {1,2}, 3g € T; s.t. g lainaa = f } 
= Tifoainaz Y Tolainaz - 
The order is then given by (a1, T1) < (a2, T2) iff ag C ay and Tile, € To. 
A convenient way of describing these lattices was introduced in [17, Lemma 
2.1]. The authors showed that the relational lattices R(D, A) are isomorphic to 


the lattices of closed subsets of AU D4, where Z C AU D4 is said to be closed 
if it is a fixed-point of the closure operator (—) defined as 


Z:=ZU{f €D4|A\ZC Ed(f,g), for some g€ Z}, 


1 In [17] such a lattice is called full relational lattice. The wording “class of relational 
lattices” is used there for the class of lattices that have an embedding into some 
lattice of the form R(D, A). 
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where in the formula above Eq( f, g) is the equalizer of f and g. Letting ô( f, g) := 
{x € A | f(x) Æ g(x) }, the above definition of the closure operator is obviously 
equivalent to the following one: 


Z:=aU{f €D4| 5(f,g) Ca, for some g € ZN D4}, with a= ZN A. 


From now on, we rely on this representation of relational lattices. 


4 Lattices from Metric Spaces 


Generalized ultrametric spaces over a Boolean algebra P(A) turn out to be a 
convenient tool for studying relational lattices [17,22]. Metrics are well known 
tools from graph theory, see e.g. [10]. Generalized ultrametric spaces over a 
Boolean algebra P(A) were introduced in [20] to study equivalence relations. 


Definition 1. An ultrametric space over P(A) (briefly, a space) is a pair 
(X, ô), with 6: X x X — P(A) such that, for every f,g,h E€ X, 


dF, PEO, O(f,g) C o(f,h) Ud(h,g), (2) 
ôl f, g) = implies f =g, ôl f, g) = ôlg, f). (3) 


That is, we have defined an ultrametric space over P(A) as a category (with a 
small set of objects) enriched over (P(A)°?,@,U) (equation (2), see [16]) which 
moreover is reduced and symmetric (conditions (3)) . 

A morphism of spaces? 7 : (X, ôx) — (Y, dy) is a function Y : X — Y such 
that õy(Y(f), Y(g)) < åx(f,g), for each f,g € X. Obviously, spaces and their 
morphisms form a category. If dy (Y( f), Y(g)) = ôx (f, g), for each f,g € X, then 
w is said to be an isometry. A space (X, ô) is said to be pairwise-complete, see 
[2], or convex, see [19], if, for each f,g E€ X and a, 6 C A, 


ôl f, g) C aU p implies (f, h) C a and ô(h,g) CG, for some h € X. 


Proposition 2 (see [2,20]). If A is finite, then a space is injective in the cat- 
egory of spaces if and only if it is pairwise-complete. 


If (X,ôx) is a space and Y C X, then the restriction of ôx to Y induces 
a space (Y, ôx); we say then that (Y, ôx) is a subspace of X. Notice that the 
inclusion of Y into X yields an isometry of spaces. 

Our main example of space over P(A) is (D4, 8), with D4 the set of functions 
from A to D and the distance defined by 


òf g) = {a € A| fla) #gla)}. (4) 


A second example is a slight generalization of the previous one. Given a surjective 
function 7: D — A, let Sec, denote the set of all the functions f : A — D such 


2 As P(A) is not totally ordered, we avoid calling a morphism “non-expanding map” 
as it is often done in the literature. 
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that m o f = ida. Then Sec, C D4, so Sec, with the distance inherited from 
(D4, 8) can be made into a space. Considering the first projection 7, : Ax D > 
A, we see that (D4, 65) is isomorphic to the space Sec,,. By identifying f € Sec, 
with a vector (f(a) € t~+(a) | a € A), we see that 


Sec, = II Da, where Da := m~} (a). (5) 
acA 


That is, the spaces of the form Sec, are naturally related to Hamming graphs 
in combinatorics [13], dependent function types in type theory [6,14], universal 
S5“-product frames in modal logic [12]. 


Theorem 3 (see [23]). Spaces of the form Sec, are, up to isomorphism, exactly 
the injective objects in the category of spaces. 


4.1 The Lattice of a Space 


The construction of the lattice R(D, A) can be carried out from any space. 
Namely, for a space (X, ô) over P(A), say that Z C X is a-closed if g € Z 
and ô( f, g) C a implies f € Z. Clearly, a-closed subsets of X form a Moore fam- 
ily so, for Z C X, we denote by Z the least a-closed subset of X containing Z. 
Observe that f € Z“ if and only if 5(f,g) C a for some g € Z. Next and in the 
rest of the paper, we shall exploit the obvious isomorphism between P(A) x P(X) 
and P(AU X) (where we suppose A and X disjoint) and notationally identify a 
pair (a, Z) € P(A) x P(X) with its image aU X € P(AU X). Let us say then 
that (a, Z) is closed if Z is a-closed. Closed subsets of P(AU X) form a Moore 
family, whence a complete lattice where the order is subset inclusion. 


Definition 4. For a space (X,6), the lattice L(X, 6) is the lattice of closed sub- 
sets of P(AU X). 


Clearly, for the space (D“, ô), we have L(D4, 8) = R(D, A). Let us mention that 
meets and joins L(X, ô) are computed using the formulas in (1). In particular, 
for joins, 


aus 


(a, Y)V (6,7) =(aUB,YUZ `). 
The above formula yields that, for any f € X, f € (a, Y) V (8, Z) if and only if 
o(f,g) C aU B, for some g EY UZ. 

We argue next that the above construction is functorial. Below, for a function 
w:X —Y, y7! : P(Y) — P(X) is the inverse image of y, defined by w~1(Z) := 
{xe X | v(x) € Z}. 


Proposition 5. If y : (X,dx) — (Y,dy) is a space morphism and (a, Z) 
L(Y, by), then (a, -1(Z)) € L(X,6x). Therefore, by defining L(w)(a,Z) := 
(a,w~1(Z)), the construction L lifts to a contravariant functor from the category 
of spaces to the category of complete meet-semilattices. 


M 
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Proof. Let f € X be such that, for some g € wy 1(Z) (i.e. Y(g) € Z), we 
have ðx(f,g) C a. Then ðy(Y(f), Y(g)) E ôx(f,g) C a, so y(f) € Z, since 
Z is a-closed, and f € w~!(Z). In order to see that L(w) preserves arbitrary 
intersections, recall that y7! does. 


Notice that L(Y) might not preserve arbitrary joins. 


Proposition 6. The lattices L(Sec,) generate the same lattice variety of the 
lattices R(D, A). 


That is, a lattice equation holds in all the lattices L(Sec+) if and only if it holds 
in all the relation lattices R(D, A). 


Proof. Clearly, each lattice R(D, A) is of the form L(Sec,). Thus we only need 
to argue that every lattice of the form L(Sec,,) belongs to the lattice variety gen- 
erated by the R(D, A), that is, the least class of lattices containing the lattices 
R(D, A) and closed under products, sublattices, and homomorphic images. We 
argue as follows. 


As every space Sec, embeds into a space (D4, 6) and a space Sec, is injective, 
we have maps + : Sec, — (D4,6) and y : (D4,5) — Sec, such that pou = 
idgec,- By functoriality, L(x) o L(Y) = idy(gec,). Since L(v) preserves all meets, 
it has a left adjoint ¢: L(Sec,) — L(D4,5) = R(D, A). It is easy to see that 
(é,L(w)) is an EA-duet in the sense of [24, Definition 9.1] and therefore L(Sec,) 
is a homomorphic image of a sublattice of R(D, A), by [24, Lemma 9.7]. 


Remark 7. For the statement of [24, Lemma 9.7] to hold, additional conditions 
are necessary on the domain and the codomain of an EA-duet. Yet the implica- 
tion that derives being a homomorphic image of a sublattice from the existence 
of an EA-duet is still valid under the hypothesis that the two arrows of the 
EA-duet preserve one all joins and, the other, all meets. 


4.2 Extension from a Boolean Subalgebra 


We suppose that P(B) is a Boolean subalgebra of P(A) via an inclusion i : 
P(B) — P(A). If (X,6p) is a space over P(B), then we can transform it into 
a space (X,6,4) over P(A) by setting d4(f,g) = i(dB(f,g)). We have therefore 
two lattices L(X, ôg) and L(X, ôa). 


Proposition 8. Let 8C Band Y C X. Then Y is B-closed if and only if it is 
i(3)-closed. Consequently the map ix, sending (G,Y) € L(X,6p) to i,(8,Y) := 
(i(8), Y) € L(X, 64), is a lattice embedding. 


Proof. Observe that ôs(f,g) C @ if and only if ôa (f, g) = i(B(f,g)) C i(8). 
This pape and a the first statement of the Lemma, but also that, for 


Y¥ CX, y= (e) . Using the fact that meets are computed as intersections 
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and that i preserves intersections, it is easily seen that 7, preserves meets. For 
joins let us compute as follows: 


ig (Br, Y1) V ix (Bo, Y2) = (i(G1) U ila), Yr U Yg PP) 
= (i(B1 U pa), Yi U Ya) = (i(i U pa), UYR) 
i (B1 U ba, Y1 U Y3) = i, ( (6, Y1) V (32, Ya). 


II 


5 Failures from Big to Small Lattices 


The set of lattice terms is generated by the following grammar: 
t:=a|T|tAt|Lltvt, 


where x belongs to a set of variables X. For lattice terms t),...,tn, we use 
Vars(t1,...,tn) to denote the set of variables (which is finite) occurring in any 
of these terms. The size of a term t is the number of nodes in the representation 
of t as a tree. If v : X — L is a valuation of variables into a lattice L, the value 
of a term t w.r.t. the valuation v is defined by induction in the obvious way; here 
we shall use [t], for it. 

For t,s two lattice terms, the inclusion t < s is the equation t V s = s. Any 
lattice-theoretic equation is equivalent to a pair of inclusions, so the problem of 
deciding the equational theory of a class of lattices reduces to the problem of 
decing inclusions. An inclusion ¢ < s is valid in a class of lattices K if, for any 
valuation v : X —> L with L € K, [vlv < [s]v; it fails in K if for some L € K and 
v: X —> L we have [t]. £ Islo. 

From now on, our goal shall be proving that if an inclusion t < s fails in a 
lattice R(D, A), then it fails in a lattice L(Sec,), where Sec, is a finite space 
over some finite Boolean algebra P(B). The size of B and of the space Sec,, 
shall be inferred from of the sizes of t and s. 

From now on, we us fix terms ¢ and s, a lattice R(D, A), and a valuation 
v : X — R(D, A) such that [t]. Z [s]o- 


Lemma 9. If, for some a € A, a E [t]v \ [s]v, then the inclusion t < s fails in 
the lattice R(E, B) with B = and E a singleton. 


Proof. The map sending (a, X) € R(D,A) to a € P(A) is lattice morphism. 
Therefore if t < s fails because of a € A, then it already fails in the Boolean 
lattice P(A). Since P(A) is distributive, t < s fails in the two elements lattice. 
Now, when B = 9 and E is a singleton R(E, B) is (isomorphic to) the 2 elements 
lattice, so the same equation fails in R(E, B). 


Because of the Lemma, we shall focus on functions f € D4 such that f € 
[t]» \ [s]v. In this case we shall say that f witnesses the failure of t < s (in 
R(D, A), w.r.t. the valuation v). 
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5.1 The Lattices R(D, A)r 


Let T be a subset of D4 and consider the subspace (T,6) of D4 induced by the 
inclusion ip : T C D4. According to Proposition 5, the inclusion ip induces 
a complete meet-semilattice homomorphism L(ir) : R(D,A) = L(D4,5) — 
L(T, 5). Such a map has a right adjoint jr : L(T,6) — L(D4, ð), which is a 
complete join-semilattice homomorphism; moreover jr is injective, since L(ir) 
is surjective. 

Proposition 10. For a subset T C D4 and (a, X) € R(D, A), (a, XAT“) = 


jr(L(ir(a, X)). The set of elements of the form (a,X MT"), fora C A and 
X C D4, is a complete sub-join-semilattice of R(D, A). 


Proof. It is easily seen that L(ir)(a, X) = (a, X NT) and that, for (G,Y) € 
L(T, ô), (8,Y) C (a, XAT) if and only if (8,Y®) C (a, X), so jr(B,Y) = (8,Y®). 

It follows that the elements of the form (a, X N T”), where (a, X) € R(D, A), 
form a sub-complete join-semilattice of R(D, A): indeed, they are the image of 
lattice L(T, 6) under the complete join-semilattice homomorphism jr. We argue 
next that, for any pair (a, X) (we do not require that X is a-closed) there is a 
Z C DA which is a-closed and such that XAT“ = ZAT”. Indeed, the equality 


XAT =XnN nT 


is easily verified, so we can let Z = XN re. 


Therefore, the set of pairs of the form (a, X MT") is a dual Moore family 
and a complete lattice, where joins are computed as in R(D, A), and where meets 
are computed in a way that we shall make explicit. For the moment, let us fix 
the notation. 


Definition 11. R(D, A)r is the lattice of elements of the form (a, X MT"). 


By the proof of Proposition 10, the lattice R(D, A)r is isomorphic to the latttice 
L(T,6). We shall use the symbol Ñ for meets in R(D, A)r; these are computed 
by the formula 


Rise Xi) = (N ea X, 
icI icl 


where, for each (a, X) € R(D, A), (a, X)° is the greatest pair in R(D, A)r that 
is below (a, X). Standard theory on adjoints yields 


(a, X)? = (jr oL(ir))(a, X) = (a, X NT"). 


We obtain in this way the explicit formula for the binary meet in R(D, A)r: 


a Set anp 
a, XATA, YAT) = (anb, XAT NYA n l 
(a, XAT )MB,YAT) = (anb, XAT nYnT nT) 
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Remark that we have 
(a, X)M(B,Y) E (a, X) N (8,Y) 
whenever (a, X) and (3, Y) are in R(D, A)r. 


Lemma 12. Let (a, X),(8,Y) € R(D, A)r and let f € T. If f € (a, X)N(G,Y), 
then f € (a, X)A(G,Y). 


Proof. This is immediate from the fact that 


a B Q 


KAT*AYAT NATCXNnTnYnT 


AT 


5.2 Preservation of the Failure in the Lattices R(D, A)r 
Recall that v : X — R(D, A) is the valuation that we have fixed. 


Definition 13. For a susbset T of D4, the valuation vr : X — R(D, A)r is 
defined by the formula vr(x) = v(x)°, for each x € X. 


More explicitley, we have 
vr(x):= (a, TAX“), where (a, X) = v(x). 


The valuation vy takes values in R(D, A)r, while v takes value in R(D, A). It 
is possible then to evaluate a lattice term t in R(D, A)r using vr and to evaluate 
it in R(D, A) using v. To improve readability, we shall use the notation [t]7 for 
the result of evaluating the term in R(D, A)r, and the notation [t] for the result 
of evaluating it in R(D, A). Since both [t] and [t]r are subsets of P(A U X), it 
is possible to compare them using inclusion. 


Lemma 14. The relation [s]r C [s] holds, for each T C DA and each lattice 
term s. 


Proof. The proof of the Lemma is a straightforward induction, considering that 
ur(x) C v(x) for all x € X. For example, using [s;]7 € [s;], for i = 1, 2, 


[sı A se]r = [sir Als2]7 © [si] N [s2] 7 © [s1] 9 [s2] = [51 A 52] - 


A straightforward induction also yields: 


Lemma 15. Let T C D4 be a finite subset, let t be a lattice term and suppose 
that [t] = (G,Y). Then [t]r is of the form (3,Y') for some Y' C DA. 


Definition 16. Let us define, for each term t and f € DA such that f € [t], a 
finite set T(f,t) C DA as follows: 
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- If t is the variable x, then we let T(f,t) :={f }. 

- Ift = sı A 89, then f € [si] A [s2], so we define T(f,t) := T(f, sı) UT(f, s2). 

- If t = sı V s2 and |si] = (ai, Xi) for i = 1,2, then f € [sı V s2] gives that, 
for some i € {1,2} there exists g E€ X; such that ô(f,g) C a, U az. We set 
then T(f,t) :={f}UT(g, si). 


Obviously, we have: 
Lemma 17. For each lattice term t and f € D4 such that f € |t], f € T(f,t). 


Proposition 18. For each lattice term t and f € DA such that f € ft], if 
T(f,t) CT, then f € [t]r. 


Proof. We prove the statement by induction on t. 


— If t is the variable x and f € [2] = v(x) = (8,Y), then f € Y. We have 
T(f,x) = {f}. Obviously, fe YN{f}=YOaT( ft) CYNT, sof € 
(6, YT") = vr(2) = [er 

— Suppose t = sı A s2 so f € [s1 A s2] yields f € [si] and f € [s2]. We have 
defined T(f,t) = T(f, 51) UT(f,s2) C T and so, using T(f, si) C T and the 
induction hypothesis, f € [s;]7r for i = 1,2. By Lemma 17 f € T, so we can 
use Lemma 12 asserting that 


f € lsilr A [s2] 7 = [51 A 52] 7. 


— Suppose t = sı V s2 and f € [sı V Sa]; let also (4;,Y;) := [s:] for i = 1,2. 
We have defined T(f,t) := { f } UT(g, si) for some i € {1,2} and for some 
g € [s;] such that 6(f,g) C bı U b2. Now g € T(g,si) C T(f,t) C T so, 
by the induction hypothesis, g € [si]r. According to Lemma 15, for each 
i = 1,2 [siļ]r is of the form ((;,Y/), for some subset Y/ C D4. Therefore 
ô(f,g) © bı U b2 and g € [s:]r implies 


fE [si]r V [sa]r = [sı V solr A 


Proposition 19. Suppose f witnesses the failure of the inclusion t < s in 
R(D, A) w.r.t. the valuation v. Then, for each subset T C DA such T(f,t) CT, 
f witnesses the failure of the inclusion t < s in the lattice R(D, A)r and w.r.t. 
valuation ur. 


Proof. As f witnesses t £ s in R(D, A), f € [t] and f ¢ [s]. By Lemma 18 f € 


[t]r. If f € [s]r, then [s]r C [s] (Lemma 14) implies f € [s], a contradicition. 
Therefore f ¢ [s]r, so f witnesses t £ s in R(D, A)r. 


5.3 Preservation of the Failure in a Finite Lattice L(X, ô) 


From now on, we suppose that T C D4 is finite and T (f, t) C T with f witnessing 
the failure of t < s. Consider the sub-Boolean-algebra of P(A) generated by the 
sets 


{o(f,a\|fgET}UL{AN vu(a) |x € Vars(t,s)}. (6) 
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Let us call B this Boolean algebra (yet, notice the dependency of this definition 
on T, as well as on t, s and v). It is well known that a Boolean algebra generated 
by a finite set is finite. 


Remark 20. If n = card(T) and m = card(Vars(t, s)), then B can have at most 


get atoms. If we let k be the maximum of the sizes of t and s, then, 
for T = T(f,t), both n < k and m < 2k. We obtain in this case the over- 


2 
approximation 2** on the number of atoms of B. 


Let us also recall that B is isomorphic to the powerset P(at(B)), where at(B) is 
the set of atoms of B. Let i: P(at(B)) — P(A) be an injectve homomorphism 
of Boolean algebras whose image is B. Since 6(f,g) € B for every f,g € T, we 
can transform the metric space (T, 5) induced from (D“,6) into a metric space 
(T, dat(p)) whose distance takes values in the powerset algebra P(at(B)): 


õa) (fg) = 6 if and only if 4(f,g) = i(8). 


Recall from Proposition 8 that there is a lattice embedding 7, : L(T, dat(By) —> 
L(T, 6), defined in the obvious way: i.(a, Y) = (i(8), Y). 


Proposition 21. If f witnesses the failure of the inclusion t < s in R(D, A) 
w.r.t. the valuation v, then the same inclusion fails in all the lattices L(T, 6at(p)); 
where T is a finite set and T(f,t) CT. 


Proof. By Proposition 19 the inclusion t < s fails in the lattice R(D, A)r. This 
lattice is isomorphic to the lattice L(T, 5) via the map sending (a, X) € R(D, A)r 
to (a, X NT). Up to this isomorphism, it is seen that the (restriction to the 
variables in t and s of) the valuation vr takes values in the image of the lattice 
L(T, dat(B)) via ix, so [t]r, [s]r belong to this sublattice and the inclusion fails 
in this lattice, and therefore also in L(T, ôa(B))- 


6 Preservation of the Failure in a Finite Lattice L(Sec,) 


We have seen up to now that if t < s fails in R(D, A), then it fails in many 
lattices of the form L(T, dat(p)). Yet it is not obvious a priori that any of these 
lattices belongs to the variety generated by the relational lattices. We show in 
this section that we can extend any T to a finite set G while keeping B fixed, so 
that (G, dat(p)) is a pairwise-complete space over P(at(B)). Thus, the inclusion 
t < s fails in the finite lattice L(G, ôðat(B)). Since (G, ðat(B)) is isomorphic to a 
space of the form Sec, with 7: E — at(B), the inclusion t < s fails in a lattice 
L(Sec,) which we have seen belongs to the variety generated by the relational 
lattices. This also leads to construct a finite relational lattice R(at(B), E) in 
which the equation t < s fails. By following the chain of constructions, the sizes 
of at(B) and E can also be estimated, leading to decidability of the equational 
theory of relational lattices. 
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Definition 22. A glue of T and B is a function g € D4 such that, for all 
a € at(B), there exists f € T with fla = g. We denote by G the set of all 
functions that are glues of T and B. 


Observe that T C G and that G is finite, with 
card(G) < card(T)@"at(8)) , (7) 


In order to prove the following Lemma, let, for each a € at(B) and g € G, 
f(g,a) E€ T be such that gla = f(g, a)fa. 


Lemma 23. If 91,92 € G, then (g1, 92) € B. 


Proof. 


(91,92) = U (a N 6(91, 92)) = U (a N d(f(91,&), f(g2,@))) - 


a€at(B) a€at(B) 


Since 6(f(g1, a), f(g2,a@)) € B and a is an atom of B, each expression of the form 
aN 6(f(g1,@), f(g2, a)) is either Ø or a. It follows that 6(g1, g2) € B. 


For a Boolean subalgebra B of P(A), we say that a subset T of D4 is pairwise- 
complete relative to B if, for each f,g € T, 


1. (f, g) € B, 
2. ô(f,g) C BUY, implies 6(f,h) C 8 and (h, g) C y for some h € T, for each 
B,yE B. 


Lemma 24. The set G is pairwise-complete relative to the Boolean algebra B. 


Proof. Let f,g € G be such that 6(f,g) C GU. Let h € D4 be defined so that, 
for each a € at(B), hìa = fla if œa Z B and hla = ga, otherwise. Obviously, 
heG. 

Observe that a Z @ if and only if a C 6S, for each a € at(B), since 8 € B. 
We deduce therefore hla = fla if a € at(B) and a C 8°, so f(a) = h(a) for 
each a € GS. Consequently 6° C Eq(f,h) and o(f,h) C 2. 

We also have hfa = gfa if a € at(B) and a C 7°. As before, this implies 
d(h,g) C y. Indeed, this is the case if a C 8, by definition of h. Suppose now 
that a Z 8, so aC BSN Y = (BUY). Since 6(f,g) C BUY, then a C ål f, g) = 
Eq(f, g), ie. fla = gla. Together with hla = fla (by definition of h) we obtain 
hla = fla. 


We can finally bring together the observations developed so far and state our 
main results. 


Theorem 25. If an inclusion t < s fails in all the lattices R(D, A), then 
it fails in a finite lattice R(E, A’), where card(A’) < 2°) with k = 


max(size(t), size(s)), p(k) = 2 ESk, and card(E) < size(t). 
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Proof. By Proposition 19 the inclusion t < s fails in all the lattices R(D, A)r 
where T(f,t) C T. Once defined B as the Boolean subalgebra of P(A) generated 
by the sets as in the display (6) (with T = T(f,T)) and G as the set of glues of 
T(f,t) and B as in Definition 22, the inclusion fails in R(D, A)g, since T(f,T) C 
G, and then in L(G, d,(g)) by Proposition 21. The condition that G is pairwise- 
complete relative to B is equivalent to saying that the space (G, dat(B)) is pairwise- 
complete. This space is therefore isomorphic to a space of the form Sec, for some 
surjective 7: F — at(B), and t < s fails in L(Sec,). 

Equation (7) shows that, for each a € at(B), Fẹ = 7~1(a) has cardinality at 
most card(T(f,¢)) and the size of t is an upper bound for card(T(f,t)). We can 
therefore embed the space Sec, into a space of the form (E?*(®) 8) with the size 
of t an upper bound for card(£). The proof of Proposition 6 exhibits L(Sec,,) as 
a homomorphic image of a sublattice of L(E**®), 5) and therefore the inclusion 
t < s also fails within L(Æ*B), 5) = R(E, at(B)). The upper bound on the size 
of at(B) has been extimated in Remark 20. 


Remark 26. In the statement of the previous Theorem, the size of the lattice 
R(E, A’) can be estimated out of the sizes of E and A’ considering that 


P(E*) C R(E, A’) C P(A'UE*). 
p(k) 
An upper bound for card(R(£, A’)) is therefore opte” where p(k) is the 
polynomial of degree 2 as in the statement of the Theorem and k is the maximum 
of size(t), size(s). 


A standard argument yields now: 


Corollary 27. The equational theory of the relational lattices is decidable. 


7 Conclusions 


We argued that the equational theory of relational lattices is decidable. We 
achieved this goal by giving a finite (counter)model construction of bounded 
size. 

Our result leaves open other questions that we might ask on relational lat- 
tices. We mentioned in the introduction the quest for a complete axiomatic 
base for this theory or, anyway, the need of a complete deductive system—so 
to develop automatic reasoning for the algebra of relational lattices. As part 
of future researches it is tempting to contribute achieving this goal using the 
mathematical insights contained in the decidability proof. 

Our result also opens new research directions, in primis, the investigation 
of the complexity of deciding lattice-theoretic equations/inclusions on relational 
lattices. Of course, the obvious decision procedure arising from the finite model 
construction is not optimal; few algebraic considerations already suggest how 
the decision procedure can be improved. 
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Also, it would be desirable next to investigate decidability of equational the- 
ories in signatures extending of the pure lattice signature; many such extensions 
are proposed in [17]. It is not difficult to adapt the present decidability proof so 
to add to the signature the header constant. 

A further interesting question is how this result translates back to the field 
of multidimensional modal logic [15]. We pointed out in [22] how the algebra 
of relational lattices can be encoded into multimodal framework; we conjecture 
that our decidability result yields the decidability of some positive fragments of 
well known undecidable logics, such as the products S5” with n > 3. Moreover 
connections need to be established with other existing decidability results in 
modal logic and in database theory [1]. 
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Abstract. Graph weighted models (GWMs) have recently been pro- 
posed as a natural generalization of weighted automata over strings, trees 
and 2-dimensional words to arbitrary families of labeled graphs (and 
hypergraphs). In this paper, we propose polynomial time algorithms 
for minimizing and deciding the equivalence of GWMs defined over the 
family of circular strings on a finite alphabet (GWM‘s). The study of 
GWM‘s is particularly relevant since circular strings can be seen as 
the simplest family of graphs with cycles. Despite the simplicity of this 
family and of the corresponding computational model, the minimization 
problem is considerably more challenging than in the case of weighted 
automata over strings and trees: while linear algebra tools are over- 
all sufficient to tackle the minimization problem for classical weighted 
automata (defined over a field), the minimization of GWM‘s involves 
fundamental notions from the theory of finite dimensional algebra. We 
posit that the properties of GWM‘¢s unraveled in this paper willprove 
useful for the study of GWMs defined over richer families of graphs. 


1 Introduction 


Functions defined over syntactical structures such as strings, trees and graphs are 
ubiquitous in computer science. Automata models allow one to succinctly repre- 
sent such functions. In particular, weighted automata can efficiently model func- 
tions mapping structured objects to values in a semi-ring. Weighted automata 
have been defined to handle functions whose domain are e.g. strings [9,26], 
trees [8,16] and 2-dimensional words [11]. More recently, Bailly et al. [2] proposed 
a computational model for functions mapping labeled graphs (or hypergraphs) 
to values in a field (see also [22, Chap. 2]): Graph Weighted Models (GWMs). 
GWMs extend the notion of linear representation of a function defined over 
strings and trees to functions defined over graphs labeled by symbols in a ranked 
alphabet: loosely speaking, while string weighted automata can be defined by 
associating each symbol in a finite alphabet to a linear map and tree weighted 
automata by associating each symbol in a ranked alphabet to a multilinear map, 
GWMs are defined by associating each arity k symbol from a ranked alphabet 
to a kth order tensor. The computation of a GWM boils down to mapping each 
vertex in a graph to the tensor associated to its label and performing contrac- 
tions directed by the edges of the input graph to obtain a value in the supporting 
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field. When restricted to the families of strings, trees or 2-dimensional words, 
GWMs are expressively equivalent to the classical notions of weighted automata 
over these structures. 

Weighted automata have recently received interest from the machine learn- 
ing community due to their ability to represent functions defined over struc- 
tured objects. Efficient (and often consistent) learning algorithms have been 
developed for such computational models defined over sequences [3,6,10,19] and 
trees [1,4,14]. Motivated by the relevance of learning functions defined over richer 
families of labeled graphs, our long term objective is to design efficient learning 
algorithms for GWMs. This is however a challenging task. Given the close rela- 
tionship between minimization and learning for classical weighted automata (see 
e.g. [7,21,27]), we take a first step in this direction by tackling the problem of 
minimizing GWMs defined over the simple family of circular strings. 

Circular strings are strings whose last symbol is connected to the first. A 
circular string can be seen as a directed graph where each vertex is labeled by 
a symbol from a finite alphabet and is connected to his unique successor (i.e. 
a labeled graph composed of a unique cycle). Circular strings are relevant in 
biology (see e.g. [20] and references therein) and have been studied from a for- 
mal language perspective in the non-quantitative setting in [24]. The study of 
GWMs defined over such graphs is particularly relevant since circular strings are 
in some sense the simplest family of graphs with cycles (and cycles can be seen 
as the key obstacle for going from strings and trees to general graphs). More- 
over, GWMs defined over the family of circular strings—which we henceforth 
denote by GWM‘s to avoid confusions—take a simple form making them easily 
amenable to theoretical study: a GWM*° is given by a set of matrices A7 for 
each symbol ø in a finite alphabet, and maps any circular string 0,02 --- oa, to the 
trace of the products of the matrices associated with the letters in the string!. 
Despite the simplicity of this computational model and its strong connection 
with string weighted automata, the minimization problem is considerably more 
challenging than in the case of string or tree weighted automata. More precisely, 
while the minimization problem can easily be handled using notions from lin- 
ear algebra for e.g. real-valued string weighted automata (see e.g. [7]), we show 
in this paper that the minimization of GWM*‘s requires fundamental concepts 
from the theory of finite-dimensional algebras (such as the ones of radical and 
semi-simplicity). 


Contributions. Throughout the paper, we only consider automata defined over 
a field of characteristic 0. After introducing notions on weighted automata, 
GWM‘s and finite-dimensional algebras in Sect. 2, we first tackle the problem of 
deciding the equivalence of GWM‘s in Sect. 3. The study of the equivalence prob- 
lem is motivated by the simple observation that two minimal GWMs computing 


1 Note that this is a not a definition per se but rather a consequence of the definition 
of general GWMs (as introduced in [2,22]): when restricted to the family of circular 
strings, a GWM is given by a set of matrices and its computation can be succinctly 
expressed using the trace operator (whereas a general GWM is given by a set of 
tensors and its computation relies on partial traces). 
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the same function are not necessarily related by a change of basis, which is in con- 
trast with a classical result stating that two minimal string weighted automata 
are equivalent if and only if they are related by a change of basis. Building 
from this observation, we unravel the fundamental notion of semi-simple GWM° 
and we show that any function recognizable by a GW M° can be computed by a 
semi-simple GWM (Corollary 1) and that two semi-simple GW M°s of equal 
dimensions computing the same function are necessarily related by a change of 
basis (Corollary 2). These two results naturally give rise to a polynomial time 
algorithm to decide whether two GW M°s are equivalent. We then move on to the 
minimization problem in Sect. 4, where we give a polynomial time minimization 
algorithm for GW M°s which fundamentally relies on the notion of semi-simple 
GWM" (Corollary 3). While the problem of minimizing a GWM defined over 
the simple family of circular strings is central to this paper, we see it as a test 
bed for developing the theory of general GWMs: beyond the minimization and 
equivalence algorithms we propose, we believe that one of our main contributions 
is to illustrate how the theory of GWMs will rely on advanced concepts from 
algebra theory and to unravel fundamental properties that will surely be central 
to the study of GWMs defined over more general families of graphs (such as the 
one of semi-simple GWM‘). 


1.1 Notations 


For any integer n we let [n] = {1,2,--- ,n}. We denote the set of integers by N 
and the fields of real and rational numbers by R and Q respectively. Let F be a 
field of characteristic 0, we denote by M,,(F) = F”*” the set of all n x n matrices 
over F. We use lower case bold letters for vectors (e.g. v € F“) and upper case 
bold letters for matrices (e.g. M € F“*42). We denote by In the n x n identity 
matrix (or simply I if the dimension is clear from context). Given a matrix M € 
F442 we denote its entries by M; j and we use vec(M) € F““ to denote the 
column vector obtained by concatenating the columns of M. We use ker(A) to 
denote the kernel (or null space) of a matrix A. Given two matrices A E€ M,,(F) 
and B € M,,(F) we denote their Kronecker product by A ® B E€ Mm,»(F) and 
their direct sum by A $ B € Mm+n(F): A @B is the block matrix with blocks 
(A,,;B);,; and A @B is the block diagonal matrix with A in the upper diagonal 
block and B in the lower one. We denote by X* the set of strings on a finite 
alphabet X and the empty string by A. We denote by X*+ the set of non-empty 
strings and by XF the set of all strings of length k. 


2 Preliminaries 


We first present notions on weighted automata, graph weighted models and finite 
dimensional algebras. The reader is referred to [9,16,25] for more details on 
weighted automata theory, to [2] and [22, Chap. 2] for an introduction to graph 
weighted models, and to [13,17] for a thorough introduction to finite dimensional 
algebras. 
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2.1 Weighted Automata and GWMs over Circular Strings 


Let X be a finite alphabet. A weighted finite automaton (WFA) over a field F 
with n states is a tuple M = (a, {M’}.exr,w) where a,w € F” are the initial 
and final weight vectors respectively, and M? € M,,(F) is the transition matrix 
for each symbol o € X. A WFA computes a function fm: X* — F defined for 
each word x = %1%2°::r, E X* by 


fu (x) =a'M™M*..-M*w. 


We will often use the shorthand notation M? = M*!M*?.--M?** for any word 
£ = Tio zk E X*. A WFA M with n states is minimal if its number of 
states is minimal, i.e. any WFA M’ such that fm = fw has at least n states. 
We say that a function f: X* — R is WFA-recognizable if there exists a WFA 
computing it. 

Graph weighted models (GWMs) have been introduced as a computational 
model over arbitrary labeled graphs and hypergraphs in [2]. In this paper, we 
focus on the simple model of GWMs defined over the family of circular strings. 
A circular string is a string without a beginning or an end, one can think of it 
as a string closed onto itself (see Fig. 1). 


COO a 


Fig. 1. (left) Graph representation of the string abba where the special vertices labeled 
with a and w denote the beginning and end of the string respectively. (right) In contrast, 
the circular string abba has no beginning and no end, it is thus the same object as e.g. 
the circular string baab. 


A d-dimensional GWM A over circular strings (GWM) on X is given by a set 
of matrices {A7 }sex C Ma(F). It computes a function fa: X+ — F defined? 
for each word x = £1%2::- £k E XT by 


falx) = Tr(A™ A™ ... A™) = Tr(A®). 


By invariance of the trace under cyclic permutation, we have f4(a1%2°-- £k) = 
fa(@o%3-++Up%1) = fAl£3£4'::£k£1£2) = ---. This is in accordance with the 


? Observe that we exclude the empty string from the domain of fa. This is on purpose 
since f(A) would be the dimension of A (using the convention Aò = I): given two 
GWM*‘s of different dimensions computing the same function on X+, we want to con- 
sider them as equivalent even though they disagree on A. 
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definition ofa circular string: for any string x’ obtained by cyclic permutation of the 
letters of a string x, both x and 2’ correspond to the same circular string. Similarly 
to WFAs, a GWM“ is minimal if its dimension is minimal and a function f: Xt > 
F is GW M“-recognizable if it can be computed by a GWM". 

It is immediate to see that there exist WFA-recognizable functions that are 
not GWM*°-recognizable, this is the case of any WFA-recognizable function that 
is not invariant under cyclic permutation of letters in a word. In contrast, one 
can easily show that any GWM°-recognizable function is WFA-recognizable. 
More precisely, we have the following result. 


Proposition 1. For any d-dimensional GWM°A = {A°}oex on X, the WFA 
M with d? states (a, {M°}oex,w) where a = w = vec(Iq) and M” = I4 8 A7 
for each o € X, is such that fu(a) = fa(ax) for all x € X*. 


Proof. For any w = w1,-:+W, E X* we have f4(w) = Tr(A”) = Vie Ati = 
D d] eļ A”e; where e; is the i-th vector of the canonical basis of F°. Since 
a =w = (e/,---,e;)' and M” = I Q A? is the block-diagonal matrix with 
A7 repeated d times on the diagonal, one can check that fmlw) = a M”w = 
Dieta ei AY: = fa (w). 


It follows from this proposition that the learning and equivalence problems for 
GWM*s could be handled by using the corresponding algorithms for WFAs. 
We will nonetheless study the equivalence problem in the next section* without 
falling back onto the theory of WFAs, which will allow us to unravel fundamental 
properties of GWMs that will be particularly relevant to further studies (more- 
over, the minimization problem obviously cannot be handled in such a way). 


2.2 Finite-Dimensional Algebras 


An algebra A over a field F (or F-algebra) is a vector space over the field F 
equipped with a bilinear operation (called multiplication or product). An algebra 
is associative if its product is associative and it is finite-dimensional if it is of 
finite dimension as a vector space over F. In this paper, we will only consider 
finite-dimensional associative algebras. A sub-algebra B of an algebra A is a 
linear subspace of A which is closed under product (i.e. B equipped with the 
operations of A is an algebra itself). 

A classical example of finite-dimensional algebra is the set £(V) of linear 
operators on some finite-dimensional vector space V (where the product is com- 
position). In this particular example, the algebra L(V) is isomorphic to the full 
matrix algebra Ma(F), where d is the dimension of V; we will mainly focus on 
matrix algebras in this paper, i.e. sub-algebras of the full matrix algebra Ma(F) 
for some d (an example of such an algebra is the set of d x d upper triangular 
matrices). In particular, we will often consider the algebra generated by a finite 


3 Note that this is not a necessary condition: the function f defined on {a,b}* by 
f(x) = 1 if x = a and 0 otherwise is WFA-recognizable but not GWM*°-recognizable. 
4 The learning problem has been previously considered in [5,22]. 
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set of matrices {A Joes C Ma(F) for some finite alphabet X, that is the set of 
all finite linear combinations of matrices of the form A” = A*!A*.--A** for 
£ = T12- Lk E X*. More formally, if we denote by A this algebra, we have 


A= [Saan :n EN, @i, e , Qn EF, w1, wn € zh. 
i=1 

Let A be a finite-dimensional algebra over F. A sub-algebra ¥ of A is called 
an ideal of A if both za € X and ax € & for any xz € X, ac A (i.e. ¥ is 
both left and right A-invariant), which we will denote by AVY = YA= A. A 
sub-algebra ¥ of A is nilpotent if there exists some integer k such that X* = 
{z1£2: an: xi E X, i € [k]} = {0}. The factor algebra A/X of an algebra A 
by an ideal ¥ is the algebra consisting of all cosets a+ ¥ for a € A, in other 
words A/X is the quotient of A by the equivalence relation (a ~ b if and only 
if a— b € X). The radical? of A is the maximal nilpotent ideal of A and will be 
denoted by Rad(A) (the existence of Rad(.A) follows from the fact that A is of 
finite dimension). An algebra A is semi-simple if its radical is {0}. 

Let us illustrate these definitions with a very simple example. Let G C Mo2(R) 


be the algebra generated by the matrix G = ` 


G = { i ‘| :a, BE r} and is thus of dimension 2. Consequently, both 


na{i] een} ma-pe a 


are sub-algebras of G. Moreover, Gə is a nilpotent ideal and one can check that 
it is maximal, i.e. Rad(G) = Gz and hence G is not semi-simple. 

Intuitively, the radical of an algebra A contains its bad elements (in the sense 
that these elements annihilate all simple A-modules). In our previous example, 
this bad property translates into the fact that the non-zero elements of Gz cannot 
be diagonalized. We will use two fundamental results from the theory of finite 
dimensional algebra. The first one is the Wedderburn-Malcev theorem which 
states that (under some conditions on the ground field F) the elements of the 
radical can be filtered out from the algebra, i.e. one can find a sub-algebra of A 
that is isomorphic to A/Rad(A) (see e.g. [17, Theorem 6.2.3]). 


Theorem 1 (Wedderburn-Malcev Theorem). Let A be a finite-dimensional 
algebra over a field of characteristic0. There exists a semi-simple subalgebra A of 
A which is isomorphic to A/Rad(A) and such that A = A $ Rad(A) (direct sum 
of vector spaces). 


| . One can easily check that 


Going back to the example of the algebra G described above, we showed that it is 
not semi-simple, however one can easily check that G /Rad(G) is isomorphic to the 
algebra G; in Eq. (1) which is semi-simple, and furthermore that G = Gı®Rad(G). 


5 Note that this definition is specific to the finite-dimensional case; for general rings, 
there exist distinct non-equivalent definitions of radicals, which all agree with the 
one given here in the case of finite-dimensional algebras. 
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The second fundamental result we will need is related to the notion of repre- 
sentation of an algebra. A representation of an F-algebra A is a homomorphism 
of A into the algebra £(V) of the linear operators on some vector space V (over 
F). Two representations p: A —> L(V) and T: A > L(W) are similar if there 
exists an isomorphism ¢: V > W such that p(a) = ¢~'r(a)¢ for alla € A. 
For semi-simple algebras, the notion of similar representations is fundamentally 
related to the trace operator, which will be particularly relevant to the present 
study. Formally, we have the following theorem (see e.g. [17, Corollary 2.6.3]). 


Theorem 2. Let p and T be two representations of a semi-simple algebra A 
over a field of characteristic 0. These representations are similar if and only if 
Tr(p(a)) = Tr(r(a)) for alla € A. 


3 Semi-Simple GWMs and the Equivalence Problem 


In this section, we study the equivalence problem: given two GWMs over circular 
strings, how can we decide whether they compute the same function? In light of 
Proposition 1, one could solve this problem by simply converting the two GWM‘s 
into WFAs and checking whether these two WFAs compute the same function; 
indeed the equivalence problem for WFAs defined over a field is decidable in 
polynomial time [9]. Nonetheless, we will tackle this problem without relying 
on this proposition and, by doing so, we will unravel the notion of semi-simple 
GW M° which will be relevant to the study of the minimization problem in the 
next section (and which should also be central to the study of GWMs defined 
over more general families of graphs). 


3.1 Semi-Simplicity, Nilpotent Matrices and Traces 


Let A be a finite dimensional matrix algebra. Recall that the radical of A is 
its maximal nilpotent ideal. A useful characterization of the elements of the 
radical relies on the notion of strongly nilpotent elements: A € A is strongly 
nilpotent if AX is nilpotent for any X € A. It turns out that the radical of A 
is exactly the set of its strongly nilpotent elements [17, Corollary 3.1.10]. Since 
the computation of a GWM°® boils down to applying the trace operator, we 
will leverage this property to relate the notions of radical and semi-simplicity to 
simple properties of the elements of A with respect to the trace operator. We 
start with a simple lemma relating nilpotency and trace. 


Lemma 1. Let F be a field of characteristic 0 and let A € Ma(F). Then A is 
nilpotent if and only if Tr(A”) =0 for alln > 1. 


Proof. Let A be a nilpotent matrix and let k be such that A¥ = 0. Suppose 
Av = yv for some v Æ 0 (where y could belong to an algebraically closed field 
extension of F). Then A’v = y*v = 0 hence y = 0 since F is of characteristic 0, 
thus A has only 0 eigenvalues and Tr(A”) = 0 for all n > 1. 

Conversely, suppose that Tr(A”") = 0 for all n > 1. Then, we have 
Tr(P(A)) = 0 for any polynomial P with constant term 0. Suppose that A 
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has a non-zero eigenvalue y and let m > 0 be its multiplicity. Choose a polyno- 
mial P such that P(y) = 1, P(0) = 0 and P(yu) = 0 for any eigenvalue u of A 
distinct from y. We then have 0 = Tr(P(A)) = m, a contradiction. Hence A has 
only zero eigenvalues and is nilpotent. 


One can use the previous lemma to show that an element A € A is strongly 
nilpotent if and only if Tr(AX) = 0 for all X € A, which leads to the following 
useful characterization of the semi-simplicity of an algebra. 


Proposition 2. Let AC Ma(F) be a matrix algebra. We have 
Rad(A)={Ae€A: Tr(AX) =0 for all X € A}. 


Consequently, A is semi-simple if and only if for all A € A different from 0 
there exists X € A such that Tr(AX) 40. 


Proof. We will show that A € A is strongly nilpotent if and only if Tr(AX) = 0 
for all X € A. The proposition will then directly follows from the fact that 
Rad(A) is the set of strongly nilpotent elements of A and from the fact that A 
is semi-simple if and only if Rad(A) = {0}. 

Let A € A be such that Tr(AX) = 0 for all X € A. Since X(AX)""' € A 
for all n > 1 and all X € A we have Tr((AX)”) = 0 for all n > 1 and all X € A, 
hence AX is nilpotent for all X € A by Lemma 1, i.e. A is strongly nilpotent. 
Conversely, let A be a strongly nilpotent element of A. By Lemma 1 we have 
Tr((AX)”) = 0 for all X € A and all n > 1, in particular Tr(AX) = 0. 


3.2 Equivalence of GWMs 


We now consider the problem of deciding whether two GWM‘s are equivalent. 
Let us first briefly show how one can decide whether two real-valued WFAs com- 
pute the same function. One way to address this problem relies on the following 
result: two minimal real-valued WFAs computing the same function are related 
by a change of basis. Note that it is easy to check that WFAs are invariant under 
a change of basis of their weight vectors and transition matrices. The following 
proposition show that such a change of basis is actually the only way for two 
minimal WFAs to compute the same function [26] (see also [6, Corollary 4.2]). 


Proposition 3. If two WFAs A= (a, {A° }ses,w) and A= (&, {A7 }se 5, ©) 
with d states taking their values in R are minimal and compute the same func- 
tion, i.e. fa = fz, then there exists an invertible matriz P E€ Mg(R) such that 


al =@'P, w=P 1 and Av =P'A’P for each o € S. 


Hence, to decide whether two WFAs compute the same function one can simply 
minimize them and check whether the weight vectors and transition matrices 
obtained after minimization are related by a change of basis (which can both 
be done in polynomial time). In contrast, one can easily find an example of two 
minimal GW M°s whose matrices are not related by a change of basis. Consider 
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the constant function f(x) = 2 for all x € Xt. One can check that the two 
GWM‘s G and G with 2 states defined by the matrices 


11 ~ 10 
o= [8] au 6=[29 


respectively are minimal and compute f, however G and G are not similar. 
Let us now introduce the notion of semi-simpleGW M°. We say that a GWM° 
A defined by a set of matrices {A7}oex C Ma(F) is semi-simple if the algebra A 
generated by the matrices {A7},e» is semi-simple. It follows from the example 
presented in Sect. 2.2 that G is not semi-simple while G is a semi-simple GW M° 
computing the GW M°-recognizable function f. We will now show that this 
simple example can be generalized:any GW M°-recognizable function can be 
computed by a semi-simple GW M°. This non-trivial result relies on the following 
theorem which is a direct consequence of the Wedderburn-Malcev theorem. 


Theorem 3. Let A C Ma(F) be a matrix algebra over a field of characteristic 
0. Then there exist a semi-simple sub-algebra A of A and a surjective homomor- 
phism 7: A— A such that Tr(A) = Tr(a(A)) for all A € A. 


Proof. By Theorem 1 there exists a semi-simple sub-algebra A of A which is 
isomorphic to A/Rad(A) and such that A = Å © Rad(A) (direct sum of vector 
spaces). Let m: A — A be the projection associated with this direct sum. Then 
for any A € A we have 


Tr(A) = Tr(7(A) + (1 — 7)(A)) = Tr(a(A)) + Tr((1 — 7)(A)) = Tr(a(A)). 


Indeed, since (1 — 7)(A) € Rad(A), it is nilpotent, hence its trace is zero. 


Using the notations from Theorem 3, it follows that for any d-dimensional GWM* 
A given by a set of matrices {A7 }sc s C Ma(F) generating the algebra A, the d- 
dimensional A given by the matrices {A’ = 7(A7)},ex is a semi-simple GWM" 
computing the function fa, hence the following corollary. 


Corollary 1. Any function that can be computed by a GWM" can be computed 
by a semi-simple GWM° of the same dimension. 


Given a finite dimensional algebra A, one can compute the surjective homo- 
morphism r from Theorem 3 in polynomial time when F allows efficient arith- 
metic computations (e.g. F = Q) [12,15]. The algorithm takes as input a basis 
@1,°** ,@, of A (as a vector space) and the structure coefficients of the alge- 
bra (which are the scalars c; € F satisfying aja; = >>, Ch ak). Since one can 
easily compute a basis and the structure coefficients of a matrix algebra A given 
a set of generators {A7 }ses in polynomial time, it follows that any GWM" 
can be transformed in polynomial time into a semi-simple GW M° (of the same 
dimension) computing the same function. 

We now show that a result similar to Proposition 3 holds for semi-simple 
GWM‘s: two semi-simple d-dimensional GW Ms are equivalent if and only if 
they are related by a change of basis. This result relies on the following theorem. 


522 G. Rabusseau 


Theorem 4. Let X be a finite alphabet and let A,B C Ma(F) be the algebras 
generated by the sets of matrices {A°}ksex and {B’}oex respectively. 

If A and B are semi-simple and Tr(A”) = Tr(B”) for all w € &* then A 
is isomorphic to B. Moreover, the mapping ¢:A->B defined by extending the 
mapping 

bo: A” > B” for alla € X* 
by linearity is well-defined and is an isomorphism. 


Proof. The mapping ¢ is by construction a trace-preserving surjective semi- 
group homomorphism. We first show that ¢ can be extended to a homomor- 
phism ¢: A —> B. By definition, any A € A can be written as A = ie A” 
for some n E€ N, ay,-++ , Qn) € F, £1, , 2, E X*. We will show that the mapping 


db: 5 a,A* > >, aio(A*) 
i=1 i=1 


is well-defined. By construction of d, it suffices to show that if 7", a; A™ =0 
for some a; € F, x; € X*, then (X; a,A™) = 0. Suppose >", a; AT = 0, 
then >>)", a; A” A” = 0 for any x € X*. By linearity of the trace and since ¢ is 
a trace-preserving morphism, it follows that 


0=) a;Tr[A*A®] = 3 a; Tr [o(A* A”)] -5 aiTr [6(A®)¢(A*)] 


(>: a) oA rie (>: oa) u 


for all x € X*. By linearity of the trace and since ¢ is surjective, we thus have 
Tr [6 co aA") B] = 0 for any B € B, hence b( 2, ajA?) belongs to 
Rad(B) by Proposition 2 and must be 0 since B is semi-simple. 

One can easily check that ¢ is trace-preserving, is surjective and is a homo- 
morphism. It remains to show that é is injective. Let A € A be such that 
(A) = 0. Since $ is a homomorphism we have ¢(AX) = 0 for any X € A, 
and thus 0 = Tr(¢(AX)) = Tr(AX) for all X € A. Hence A € Rad(A) by 
Proposition 2 and must be 0 since A is semi-simple. 


= Tr 


The previous theorem can be leveraged to show that if two semi-simple GWM‘s 
of the same dimension compute the same function, then they are related by 
a change of basis (note that the converse of this statement is immediate since 
the trace is a basis independent operator). Let A and B be two d-dimensional 
semi-simple GWM‘s computing the same function and let A,B C Ma be the 
algebras generated by their respective sets of matrices {A7} cx and {B’} cen. 
First observe that the identity mapping p: A — L(F*) defined by p(A) = A for 
all A € A is (trivially) a representation of the algebra A. Now, since A and B 


6 This part of the proof is adapted from the proof of Proposition 3.1 in [18]. 
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compute the same function and are semi-simple, we have Tr(A”) = Tr(B”) for 
all w € X* and it follows from Theorem 4 that A is isomorphic to B; let 6: A > B 
be the isomorphism defined in this theorem. Then, the mapping 7T: A > L(F¢) 
defined by (A) = (A) for all A € A is also a representation of A, and since 
A is semi-simple it follows from Theorem 2 that p and 7 are similar. That is, 
there exists an invertible matrix P € Ma4(F) such that p(A) = P~'7(A)P for 
all A € A. In particular we have 


A’ = (A?) = P“'7(A7)P = P“!4(A7)P = P-'!B’P 
for all o € X, hence the following corollary. 


Corollary 2. Two d-dimensional semi-simple GWM°s A and B compute the 
same function if and only if they are related by a change of basis, i.e. there 
exists an invertible matriz P € Ma(F) such that A” = P~'B’P for allo € X. 


In the case where F allows for efficient arithmetic computations (e.g. F = Q), 
it follows that the equivalence of GWM*‘°s can be decided in polynomial time. 
Indeed, given two GWM‘s A and B of the same dimension defined by the matri- 
ces {A’} ex and {B’},ex respectively, one can first transform them into semi- 
simple GWM¢‘s using Theorem 3 and the algorithm in [12,15], and then check 
whether the resulting matrices are related by a change of basis. The case where 
the two GWM‘s are not of the same dimension can be easily handled. Without 
loss of generality, suppose that A and B are semi-simple GWM‘°s of dimension 
d and d’ respectively with d’ < d. One can construct a d-dimensional GWM* B 
computing the same function as B by considering the block-diagonal matrices 
B° = B° 60 for each o € X (where 0 is the (d—d’) x (d—d’) matrix with all 
entries equal to 0). It is easy to check that Bis semi-simple if B is semi-simple, 
hence one can decide if A is equivalent to B by checking whether the matrices 
A’ and B° are related by a change of basis. 


4 Minimization of GWMs over Circular Strings 


We now consider the minimization problem: given a GWM° A, can we find a 
minimal GWM*° computing fa? We will show that the answer is in the positive 
and that such a minimal GWM*° can be computed in polynomial time. We start 
with a technical lemma that generalizes the classical result stating that for any 
d x d matrix A, the kernel of A? is equal to the kernel of A¢+* for any k > 0. 


Lemma 2. Let {A°}ses C Ma(F) be a finite set of matrices. Then for all 
k > 0 we have 

() ker(A”)= (] ker(A”). 

xe xd yeLatk 


Proof. For any integer i, let E; = Mres: ker(A®*). We start by showing that 
if Ei = iti for some 7 then Ep1 = Fito. The inclusion Fi E Eizo is 
immediate. Suppose F; = Ei+ı for some integer i. If v € Ei+2 then Av € 
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ker(A*) for all x € X+! and allo € X, ie. A’v € Eip = E; for allo € J, 
which implies A’v € ker(A”) for all y € X’ and all ø € X from which v € Fj+4 
follows directly. To conclude, since each Æ; is a linear subspace of F4, E; © Ej41 
implies dim FẸ; < dim £41, hence there must exist an i for which E; = Ei+1 and 
this 7 cannot be greater than d. 


We show in the following theorem that the linear space E = (Mpesya ker( A”) 
is not relevant to the computation of a GWM° A with matrices {A7 }ses, ie. 
one can project each matrix A” onto the orthogonal complement of E without 
changing the function computed by A. 


Theorem 5. Let A be a GWM® given by the set of matrices {A°}gex C 
M<a(F). Consider the linear space 


B= () ker(A”) = {v € F° : A”v =0 for all x € 5%} 


rE ye 


and let IL € F¢*¢ be the matrix of the orthogonal projection onto E. 
Then, the GWM: A given by the matrices A7 = A°(I—TII) for each o € X 
is such that fa = fj. 


Proof. Let A be the algebra generated by the matrices {A7},¢y. Let us first 
observe that E is A-invariant, which follows from Lemma 2. Indeed, if v € E and 
y € X* we have A* Av = 0 for any x € X° (since |xy| > d), hence A¥v € E; 
the extension to an arbitrary element of A is immediate by linearity. This implies 
that for any A € A, we have 


TIAI=AII and (I—M)AII=0. (2) 


Now, let k > 1, let £z = 2%---a, E€ XF and let Pı = II and Py = I — II. 
We can decompose A” into 


k k 
At = II Atv — II A” (Pı + P2) = 5 A” P; A™?P,,---A™*P;, 
i=1 i=1 jise jr E{1,2} 


= Â” + A“ IA ®II- ATID + 5 AP; A™P,,---AT™*P,,. 


jir Im EL1,2} s-t. 
arr! ir Ad, 

We will show that the traces of all the summands in this last expres- 
sion, except for the first one, are equal to 0. First, using Eq. (2) we have 
A™TTA?IT.--A**IT = A*II. Moreover, for any integer s such that sk > d 
we have (AI): = A* II = 0 by definition of E and by Lemma 2, thus 
A*II is nilpotent and its trace is 0 by Lemma 1. For the remaining terms, 
let j1,-+: , jk E€ {1,2} not all equal. Let l € [k] be an index such that jı = 2 and 
Jigga = 1 where 1+ 1=1+41 ifl < kand 1 otherwise. Using the invariance of the 
trace under cyclic permutations of a matrix product, we obtain 


TEAPA P; tee At Ph) = Tr(A” P A” Pj see ) 
—Tr(A™(I-IDA™#II...) =0 
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where we used Eq. 2 again for the last equality. To conclude, we have shown that 
Tr(A*”) = Tr(A”) for all z € X*, hence A and A compute the same function on 
circular strings. 


Moreover, we now show that the subspace E from the previous theorem can be 
used to obtain a characterization of the minimality of a GWM. 


Theorem 6. Let A be a GWM® given by the set of matrices {A7 }se5 C 
Ma(F). Then, A is minimal if and only if the linear space 


E= ù] ker(A®) = {v € F*: A*v =0 for all x € X°} 
seyi 


is trivial, i.e. E = {0}. 


Proof. Suppose that E is not trivial and let II be the matrix of the orthogonal 
projection onto &. Then, the rank R of I — II is strictly less than d and there 
exists an orthogonal matrix U € R¢*” such that I — T = UU". It follows from 
the previous proposition that, for any non-empty word x = £1 ---xx, we have 


Tr(A”) = Tr(A*! (I — 11) A”?(I— TII) --- A”* (I — II)) 
= Tr(A™'UU' A”? UU! ---A7*UU') = Tr((U'A™U)(U' A”? U)... (U! A™*U)). 


Hence, the R-dimensional GWM° given by the matrices A? = UTATU com- 
putes the same function as A, showing that A is not minimal. 

Suppose now that A is not minimal. Let B be a GWM°® of dimension d’ < d, 
given by the matrices {B7 }sex, such that fg = fa. Let A (resp. B) be the 
algebra generated by the matrices {A7},e» (resp. {B° }se x). By Corollary 1, 
we can assume that both A and B are semi-simple GWM‘s, i.e. that the algebras 
A and B are semi-simple. For each o € X, let B° = B7 @0 € R?*4 be the block 
diagonal matrix having B7 in the upper diagonal block and 0’s elsewhere. Let B 
be the algebras generated by the matrices {B7 }se x C Ma(EF). It is easy to check 
that the GWM° Ê computes the same function as A and B and that the algebra 
B is semi-simple (it is indeed isomorphic to the semi-simple algebra B). It then 
follows from Corollary 2 that there exists an invertible matrix P € Ma(F) such 
that A7 = PB’P™! for all o € X. Let eq be the dth vector of the canonical basis 
of Ff, by definition of B’ we have B’ez = 0 for any o € X, and consequently 
A’ Pe, = 0 for any symbol c, showing that Peg € E and E # {0}. 


It follows from the two previous theorems that by restricting the linear opera- 
tors A? of a GWM¢ A to the subspace E+, one can obtain a minimal GWM° 
computing fa. We formally state this result in the following corollary. 


Corollary 3. Let A be a GWM®° given by the matrices {A7}gexn C Ma(F) 
and let II be the matrix of the orthogonal projection onto the space E = 
Qeeesa ker(A*). For any orthogonal matric U € F°*? such that I — II = 
UU" (where R is the dimension of E+), the R-dimensional GWM A given 
by the matrices AZ =U'A°U is a minimal GWM computing fa. 


526 G. Rabusseau 


Proof. Using the invariance of the trace under cyclic permutations of a matrix 
product, it directly follows from Theorem 5 that fâ = fa. Moreover, one can 
check that Ê = Oeexe ker(A”) = {0} by construction of the matrices A, hence 


A is minimal by Theorem 6. 


We showed that a GWM" can be minimized by restricting its matrices to the sub- 
space Æ+, In order to do so, one needs to compute a basis of E = fpe ya ker(A®). 
This can naively be done by first computing ker(A®) for each x € X4 and then 
computing a basis for the intersection of these linear subspaces, however the 
complexity of this approach is exponential in the dimension d. We show in the 
following proposition that for semi-simple GWM*‘s, one simply needs to compute 
a basis of the space (),¢5 ker( A7), which can be done in polynomial time (pro- 
vided that the field F admits efficient symbolic arithmetic, e.g. F = Q). 


Proposition 4. Let A C M4(F) be the finite dimensional algebra generated by 
the set of matrices {A7 }ses. Then if A is semi-simple we have 


() ker(A") = f] ker(A’). 


we sa ocx 


Proof. For any integer i > 1, let E; = fpes: ker(A”). Recall from the proof 
of Lemma 2 that E; C E+, for all į and that E; = E1 implies E; = Fj, 
for any integer k > 0, hence it will be sufficient to show that E1 = E>. One 
can check that each E; is A-invariant, i.e. each E; is an A-module. Since A is 
semi-simple, any A-module is semi-simple [17, Theorem 2.6.2], which implies 
that if M is an A-module, every submodule U of M has a complement [17, 
Proposition 2.2.1], i.e. there exists an A-module V such that M = U ẹ V. Now 
since Æ; is a submodule of the A-module E2, E has a complement U in Eo, 
ie. U is A-invariant and E = E,; @ U. Let v € U. We show v = O. Since 
v € Es, we have A A”? v = 0 for all 01,02 € X, hence Av € F; for alla € X. 
Moreover, we have A’v € U for all o € X since U is A-invariant. It follows that 
A’v € ENU = {0} and A’v = 0 for all o € X, hence v € FE and since v € U 
we have v = 0. To conclude, we have U = {0}, hence Ey = E». 


Since a GWM® can be transformed into an equivalent semi-simple GWM‘ 
in polynomial time (see Corollary 1 and the following discussion), the mini- 
mization of a GWM* defined over circular strings can be achieved in polyno- 
mial time by first converting it to a semi-simple GWM° and then applying 
Corollary 3 with Proposition 4. The overall minimization algorithm is summa- 
rized in Algorithm 1. 
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Algorithm 1. Minimization of a GWM defined over circular strings 
Input: A d-dimensional GWM°® A given by a set of matrices {A°} sex C Ma(F). 
Output: A minimal GWM*° A computing fa. 

1: Let A be the algebra generated by the matrices {A?} es. 

2: Compute a basis (Ai,--: , An) of A (as an F-vector space) and the structure coef- 

ficients cf, € F for i,j,k € [n] satisfying AA; = Pg ch An. 

3: Compute the sub-algebra A and the corresponding surjective homomorphism 
T: A— A satisfying A = Rad(A) @ A and A & A/Rad(A) (using the algorithm 
from [15], see Theorem 3). 

Let A be the semi-simple GWM given by the set of matrices {A7 = 1(A’)}ceu. 

Compute a basis of E1 = {v € F¢: A°v = 0 for all o € X} = (ses ker(A’). 

Let II € F¢** be the matrix of the orthogonal projection onto E1. 

Let R be the rank of I — II and let U € F°”? be an orthogonal matrix such that 
I-l=vUvu'. 

8: return The R-dimensional GWM given by the matrices {A’ = U'A°U}ses. 


5 Conclusion 


We proposed polynomial time algorithms to handle both the minimization and 
the equivalence problems for GWMs defined over circular strings. By doing so, 
we unraveled fundamental notions from algebra theory that will be central to the 
study of GWMs. In particular, the notion of semi-simple GWM®° was paramount 
to our analysis. Intuitively, semi-simplicity can be thought of as a weak form of 
minimality: components from the radical do not contribute to the final compu- 
tation of a GWM (semi-simplification thus corresponds to annihilating these 
irrelevant components from the algebra, i.e. from the GWM°’s dynamics). 

The next step is of course to try to extend the results obtained in this paper to 
GWMs defined over more general families of graphs. One promising direction we 
are currently investigating relies on extending the central notion of semi-simple 
GWM" to GWMs defined over arbitrary families of labeled graphs: by opening 
any edge e in a graph G one obtains a graph Ge with two free ports (i.e. edges 
having one end that is not connected to any vertex) which would be mapped by 
a d-dimensional GWM A to a matrix Ae € M,(F) (indeed, a GWM naturally 
maps any graph with k free ports to a kth order tensor; see [22, Sect. 2.2.3] 
for more details). For circular strings, opening an edge corresponds to choosing 
a particular position in the circular string leading to an actual string x € X* 
which is mapped to A” by the GWM. For arbitrary labeled graphs, we have 
fa(G) = Tr(A®) similarly to the case of circular strings. One can then consider 
the algebra A generated by the matrices AC: for any graph G in some family 
of graphs and any edge e in G, and define a semi-simple GWM as a GWM for 
which this algebra A is semi-simple (note that one exactly recovers the notion of 
semi-simple GWM introduced here in the special case of circular strings). Hence, 
the fundamental results from algebra theory we leveraged in this paper should be 
directly relevant to the study of general GWMs. Beyond minimization, we intend 
to study the problem of approximate minimization (such as the ones considered 
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in [7,23] for string and tree weighted automata) along with the closely related 
problem of learning GWMs defined over richer families of graphs than the one 
of circular strings. 
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Abstract. We study pure Nash equilibria in games on graphs with an 
imperfect monitoring based on a public signal. In such games, devia- 
tions and players responsible for those deviations can be hard to detect 
and track. We propose a generic epistemic game abstraction, which con- 
veniently allows to represent the knowledge of the players about these 
deviations, and give a characterization of Nash equilibria in terms of 
winning strategies in the abstraction. We then use the abstraction to 
develop algorithms for some payoff functions. 


1 Introduction 


Multiplayer concurrent games over graphs allow to model rich interactions 
between players. Those games are played as follows. In a state, each player 
chooses privately and independently an action, defining globally a move (one 
action per player); the next state of the game is then defined as the successor 
(on the graph) of the current state using that move; players continue playing 
from that new state, and form (an infinite) play. Each player then gets a reward 
given by a payoff function (one function per player). In particular, objectives 
of the players may not be contradictory: those games are non-zero-sum games, 
contrary to two-player games used for controller or reactive synthesis [23,30]. 
The problem of distributed synthesis [25] can be formulated using multiplayer 
concurrent games. In this setting, there is a global objective ®, and one particular 
player called Nature. The question then is whether the so-called grand coalition 
(all players except Nature) can enforce ®, whatever Nature does. While the 
players (except Nature) cooperate (and can initially coordinate), their choice of 
actions (or strategy) can only depend on what they see from the play so far. 
When modelling distributed synthesis as concurrent games, information players 
receive is given via a partial observation function of the states of the game. When 
the players have perfect monitoring of the play, the distributed synthesis problem 
reduces to a standard two-player zero-sum game. Distributed synthesis is a fairly 
hot topic, both using the formalization via concurrent games we have already 
described and using the formalization via an architecture of processes [26]. The 
most general decidability results in the concurrent game setting are under the 


This work has been supported by ERC project EQualIS (FP7-308087). 


© The Author(s) 2018 
C. Baier and U. Dal Lago (Eds.): FOSSACS 2018, LNCS 10803, pp. 530-547, 2018. 
https://doi.org/10.1007/978-3-319-89366-2_29 


Games on Graphs with a Public Signal Monitoring 531 


assumption of hierarchical observation [6,36] (information received by the players 
is ordered) or more recently under recurring common knowledge [5]. 

While distributed synthesis involves several players, this remains nevertheless 
a zero-sum question. Using solution concepts borrowed from game theory, one 
can go a bit further in describing the interactions between the players, and in 
particular in describing rational behaviours of selfish players. One of the most 
basic solution concepts is that of Nash equilibria [24]. A Nash equilibrium is a 
strategy profile where no player can improve her payoff by unilaterally changing 
her strategy. The outcome of a Nash equilibrium can therefore be seen as a 
rational behaviour of the system. While very much studied by game theoretists 
(e.g. over matrix games), such a concept (and variants thereof) has been only 
rather recently studied over games on graphs. Probably the first works in that 
direction are [15,17,32,33]. Several series of works have followed. To roughly 
give an idea of the existing results, pure Nash equilibria always exist in turn- 
based games for w-regular objectives [35] but not in concurrent games; they can 
nevertheless be computed for large classes of objectives [9,11,35]. The problem 
becomes harder with mixed (that is, stochastic) Nash equilibria, for which we 
often cannot decide the existence [10,34]. 

Computing Nash equilibria requires to (i) find a good behaviour of the sys- 
tem; (ii) detect deviations from that behaviour, and identify deviating players 
(called deviators); (iii) punish them. This simple characterization of Nash equi- 
libria is made explicit in [18]. Variants of Nash equilibria require slightly different 
ingredients, but they are mostly of a similar vein. 

In (almost) all these works though, perfect monitoring is implicitly assumed: 
in all cases, players get full information on the states which are visited; a slight 
imperfect monitoring is assumed in some works on concurrent games (like [9]), 
where actions which have been selected are not made available to all the players 
(we speak of hidden actions). This can yield some uncertainties for detecting 
deviators but not on states the game can be in, which is rather limited and can 
actually be handled. 

In this work, we integrate imperfect monitoring into the problem of deciding 
the existence of pure Nash equilibria and computing witnesses. We choose to 
model imperfect monitoring via the notion of signal, which, given a joint deci- 
sion of the players together with the next state the play will be in, gives some 
information to the players. To take further decisions, players get information 
from the signals they received, and have perfect recall about the past (their own 
actions and the signals they received). We believe this is a meaningful frame- 
work. Let us give an example of a wireless network in which several devices 
try to send data: each device can modulate its transmission power, in order to 
maximise its bandwidth and reduce energy consumption as much as possible. 
However there might be a degradation of the bandwidth due to other devices, 
and the satisfaction of each device is measured as a compromise between energy 
consumption and allocated bandwidth, and is given by a quantitative payoff 
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function.' In such a problem, it is natural to assume that a device only gets 
a global information about the load of the network, and not about each other 
device which is connected to the network. This can be expressed using imperfect 
monitoring via public signals. 

Following [31] in the framework of repeated matrix games, we put forward a 
notion of public signal (inspired by [31]). A signal will be said public whenever 
it is common to all players. That is, after each move, all the players get the same 
information (their own action remains of course private). We will also distinguish 
several kinds of payoff functions, depending on whether they are publicly visible 
(they only depend on the public signal), or privately visible (they depend on the 
public signal and on private actions: the corresponding player knows his payoff!), 
or invisible (players may not even be sure of their payoff). 

The payoff functions we will focus on in this paper are Boolean w-regular 
payoff functions and mean payoff functions. Some of the decidability results can 
be extended in various directions, which we will mention along the way. 

As initial contributions of the paper, we show some undecidability results, and 
in particular that the hypothesis of public signal solely is not sufficient to enjoy 
all nice decidability results: for mean payoff functions, which are privately visible, 
one cannot decide the constrained existence of a Nash equilibrium. Constrained 
existence of a Nash equilibrium asks for the existence of a Nash equilibrium 
whose payoff satisfies some given constraint. 

The main contribution of the paper is the construction of a so-called epistemic 
game abstraction. This abstraction is a two-player turn-based game in which we 
show that winning strategies of one of the players (Eve) actually correspond 
to Nash equilibria in the original game. The winning condition for Eve is rather 
complex, but can be simplified in the case of publicly visible payoff functions. The 
epistemic game abstraction is inspired by both the epistemic unfolding of [4] used 
for distributed synthesis, and the suspect game abstraction of [9] used to compute 
Nash equilibria in concurrent games with hidden actions. In our abstraction, 
we nevertheless not fully formalize epistemic unfoldings, and concentrate on 
the structure of the knowledge which is useful under the assumption of public 
signals; we show that several subset constructions (as done initially in [27], and 
since then used in various occasions, see e.g. [14,19,20,22]) made in parallel, are 
sufficient to represent the knowledge of all the players. The framework of [9] 
happens to be a special case of the public signal monitoring framework of the 
current paper. This construction can therefore be seen as an extension of the 
suspect game abstraction. 

This generic construction can be applied to several frameworks with publicly 
visible payoff functions. We give two such applications, one with Boolean w- 
regular payoff functions and one with mean payoff functions. 


1 This can be expressed by payoff player i = zi 
to-interference-and-noise ratio for player i, R is the rate at which the wireless system 


transmits the information and L is the size of the packets [29]. 


L 
(1 — es) where y; is the signal- 
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Further Related Works. We have already discussed several kinds of related works. 
Let us give some final remarks on related works. 

We have mentioned earlier that one of the problems for computing Nash 
equilibria is to detect deviations and players who deviated. Somehow, the epis- 
temic game abstraction tracks the potential deviators, and even though players 
might not know who exactly is responsible for the deviation (there might be 
several suspects), they can try to punish all potential suspects. And that what 
we do here. Very recently, [7] discusses the detection of deviators, and give some 
conditions for them to become common knowledge of the other players. In our 
framework, even though deviators may not become fully common knowledge, we 
can design mechanisms to punish the relevant ones. 

Recently imperfect information has also been introduced in the setting of 
multi-agent temporal logics [2,3,20,21], and the main decidability results assume 
hierarchical information. However, while those logics allow to express rich inter- 
actions, it can somehow only consider qualitative properties. Furthermore, no 
tight complexity bounds are provided. 

In [11], a deviator game abstraction is proposed. It twists the suspect game 
abstraction [9] to allow for more general solution concepts (so-called robust equi- 
libria), but it assumes visibility of actions (hence remove any kind of uncertain- 
ties). Relying on results of [13], this deviator game abstraction allows to compute 
equilibria with mean payoff functions. Our algorithms for mean payoff functions 
will also rely on the polyhedron problem of [13]. 

A full version of this paper will all proofs is available as [8]. In this extended 
abstract, we made the choice to focus on the construction of the epistemic game 
abstraction and to be more sketchy on algorithms to compute Nash equilibria. 
We indeed believe the structure of the knowledge represented by the abstraction 
is the most important contribution, and that algorithms are more standard. 
However we believe it is important to be able to apply the abstract construction 
for algorithmics purpose. 


2 Definitions 


Throughout the paper, if S C R, we write S for SU {—o00, +00}. 


2.1 Concurrent Multiplayer Games with Signals 


We consider the model of concurrent multi-player games, based on the two-player 
model of [1]. This model of games was used for instance in [9]. We equip games 
with signals, which will give information to the players. 


Definition 1. A concurrent game with signals is a tuple 
G = (V, Vinit, P, Act, 2 Allow, Tab, (La) Ace, (payoff 4) ace) 


where V is a finite set of vertices, Vint E€ V is the initial verter, P is a finite set 
of players, Act is a finite set of actions, X is a finite alphabet, Allow: V x P > 
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Qh \ {Ø} is a mapping indicating the actions available to a given player in a 
given vertex, Tab: V x Act” — V associates, with a given verter and a given 
action tuple the target vertex, for every A € P, l4: (Act? x V) — X is a signal, 
and payoff ,: V - (Act? : v)” — D is a payoff function with values in a domain 
C R. We say that the game has public signal if there is £: (Act? x V) >X 
such that for every A E P, l4 = £. 


The signals will help the players monitor the game: for taking decisions, a player 
will have the information given by her signal and the action she played earlier. A 
public signal will be a common information given to all the players. Our notion 
of public signal is inspired by [31] and encompasses the model of [9] where only 
action names were hidden to the players. Note that monitoring by public signal 
does not mean that all the players have the same information: they have private 
information implied by their own actions. 

An element of Act? is called a move. When an explicit order is given on 
the set of players P = {Aj,..., Ajej}, we will write a move m = (ma) Ace as 
(MA, -MAp IE m € Act? and A € P, we write m(A) for the A-component 
of m and m(—A) for all but the A components of m. In particular, we write 
m(—A) = m'(—A) whenever m(B) = m' (B) for every B € P \ {A}. 

A full history h in G is a finite sequence 


vo Mo: vr: ma... Mp1 Up E V- (Act? V) 


such that for every 0 < i < k, m; € Allow(v;) and vj4, = Tab(v;, m;). For 


my, Mk—1 


readability we will also write h as vp => vı 
We write last(h) for the last vertex of h (i.e., vk). If i < k, we also write h<i 

for the prefix vo: Movima... mMi—1' vi. We write Histg(vo) (or simply Hist(vo) 

if G is clear in the context) for the set of full histories in G that start at vo. 
Let A € P. The projection of h for A is denoted 7,4(h) and is defined as: 


Vo * (mo(A), £4(mo, 1)) sae (mr—1(A), 2a (Mp1, UE)) EV. (Act x Dy 


This will be the information available to player A: it contains both the actions 
she played so far and the signal she received. Note that we assume perfect recall, 
that is, while playing, A will remember all her past knowledge, that is, all of 
ma(h) if h has been played so far. We define the undistinguishability relation ~ 4 
as the equivalence relation over full histories induced by 74: for two histories h 
and h’, h ~a K iff ralh) = wa(h’). While playing, if h ~a h’, A will not be 
able to know whether h or h’ has been played. We also define the A-label of h 
as C4(h) = £a(mo, v1) + £a(m, v2)... La (™Me-1, Vk). 

We extend all the above notions to infinite sequences in a straightforward 
way and to the notion of full play. We write Playsg(vo) (or simply Plays(vo) if G 
is clear in the context) for the set of full plays in G that start at vo. 

We will say that the game G has publicly (resp. privately) visible payoffs if for 
every A €E P, for every vo € V, for every p,p’ € Plays(vo), 24(p) = 44 (p') (resp. 
p ~a p’) implies payoff,(p) = payoff ,(p’). Otherwise they are said invisible. 
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Private visibility of payoffs, while not always assumed (see for instance [3,19]), 
are reasonable assumptions: using only her knowledge, a player knows her payoff. 
Public visibility is more restrictive, but will be required for some of the results. 

Let A € P be a player. A strategy for player A from vo is a map- 
ping oa: Hist(vp) — Act such that for every history h € Hist(vo), o(h) € 
Allow(last(h)). It is said £4-compatible whenever furthermore, for all histories 
h,h’ € Hist(vo), h ~a h’ implies o4(h) = oa(h’). An outcome of o4 is a(n 
infinite) play p = vo : Mo vı -mı ... such that for every i > 0, o4(p<i) = m;(A). 
We write out(o 4, vo) for the set of outcomes of o4 from vo. 

A strategy profile is a tuple op = (04) ace, where, for every player A € P, oA 
is a strategy for player A. The strategy profile is said info-compatible whenever 
each c4 is £4-compatible. We write out(o», vo) for the unique full play from vo, 
which is an outcome of all strategies part of op. 

When øv is a strategy profile and o’, a player-A strategy, we write op[A/o’,] 
for the profile where A plays according to o’,, and each other player B plays 
according to og. The strategy d'4 is a deviation of player A, or an A-deviation. 


Definition 2. A Nash equilibrium from vo is an info-compatible strategy profile 
o such that for every A E€ P, for every player-A £4-compatible strategy o',, 


payoff 4 (out(o, vo)) > payoff 4 (out(o[A/o', vo)) 


In this definition, deviation o/, needs not be ¢4-compatible, since the only mean- 
ingful part of 0’, is along out(o[A/o’,], vo), where there are no ~4-equivalent 
histories: any deviation can be made ¢4-compatible without affecting the prof- 
itability of the resulting outcome. Note also that there might be an A-deviation 
o’, which is not observable by another player B (out(a, vo) ~g out(o[A/o’,], vo)), 
and there might be two deviations a’, (by player B) and oG (by player C) that 
cannot be distinguished by player A (out(o[B/o'g],v0) ~a out(o[C/aG], vo)). 
Tracking such deviations will be the core of the abstraction we will develop. 


Payoff Functions. In the following we will consider various payoff functions. Let 
® be an w-regular property over some alphabet I’. The function payg: I” — 
{0,1} is defined by, for every a € I, payg(a) = 1 if and only if a = ®. A publicly 
(resp. privately) visible payoff function payoff, for player A is said associated 
with ® over X (resp. Act x X) whenever it is defined by payoff ,(p) = payg (la (p)) 
(resp. payoff 4 (p) = payg(TA(P)—-v), where 74(p)-», crops the first vo). Such a 
payoff function is called a Boolean w-regular payoff function. 

Let I be a finite alphabet and w: T’ — Z be a weight assigning a 
value to every letter of that alphabet. We define two payoff functions over 
I’ by, for every a = (a;)i>1 € I”, payyp (a) = liminf, t5; w(a;) 


and payyp, (a) = limsup,_.. 157, w(a;). A publicly visible payoff func- 
tion payoff, for player A is said associated with the liminf (resp. limsup) 
mean payoff of w whenener it is defined by payoff4(p) = paymp  (€4(p)) (resp. 
payygp,, (£4(p))). A privately visible payoff function payoff, for player A is said 
associated with the liminf (resp. limsup) mean payoff of w whenener it is defined 
by payoff 4 (p) = payyp, (™A(p)—vo) (resp. payygp,, (TA(P)-vo)). 
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Fig. 1. An example of a concurrent game with public signal (yellow and green: public 
signal). Edges in red and bold are part of the strategy profile. Dashed edges are the 
possible deviations. One can notice that none of the deviations is profitable to the 
deviator, hence the strategy profile is a Nash equilibrium. Convention in the drawing: 
edges with no label are for complementary labels (for instance the edge from vs to 
0,0,0 is labelled by all (a1,a2,a3) not in the set {(a,a,a), (b,a,a), (b,a,b)} (Color 
figure online)) 


Example 1. We now illustrate most notions on the game of Fig. 1. This is a game 
with three players A,, Ag and A3, and which is played basically in two steps, 
starting at vo. Graphically an edge labelled (a1, a2,a3) between two vertices v 
and v’ represents the fact that a; € Allow(v,A;) for every i € {1,2,3} and 
that v’ = Tab(v, (a1, a2,a3)). As a convention, x stands for both a and b. For 
readability, bottom vertices explicitly indicate the payoffs of the three players 
(same order as for actions) if the game ends in that vertex. 

After the first step of the game, signal yellow or green is sent to all the 
players. Histories vo: (a, b, a) - V2 and vo: (a, a, a)- Vv, are undistinguishable by A; 
and A3 (same action, same signal), but they can be distinguished by Ag because 
of different actions (even if the same signal is observed). 

In bold red, we have depicted a strategy profile, which is actually a Nash 
equilibrium. We analyze the possible deviations in this game to argue for this. 


— First there is an Ag-deviation to v1. This deviation is invisible to both players 
A, and As. For this reason, the strategy out of vı for A; is to play a (same 
as out of v2). On the other hand, even though this would be profitable to her, 
A; cannot deviate from v1, since we are in a branch where A» has already 
deviated, and at most one player is allowed to deviate at a time (and anyway 
A, does not know that they are in state v1). 

— There is an A,-deviation from və to 0,1,0, which is not profitable to Aj. 

— On the other hand, there is no possible deviation to v3, since this would 
require two players to change their actions simultaneously (A; and Ag). 

— Then, there is an A,-deviation to v4 and another A3-deviation to vs; both 
activate the green signal. A> knows there has been a deviation (because of 
the green signal), but she doesn’t know who has deviated and whether the 
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game proceeds to v4 or vs (but she knows that if A; has deviated, then we 
are in v4, and if A3 has deviated, we are in vs). Then, Ag has to find a way 
to punish both players, to be safe. On the other hand, both players A; and 
A3 precisely know what has happened: in case she didn’t deviate herself, she 
knows the other one deviated! And she knows in which state the game is 
in. Hence in state v4, A3 can help player Az punishing A;, whereas in state 
us, A; can help player Ag punishing A3. Examples of punishing moves are 
therefore those depicted in red and bold; and they are part of the global 
strategy profile. Note that the action of Ag out of vs has to be the same as 
the one out of v4: this is required given the imperfect knowledge of A2. On the 
other hand, the action of A3 can be different out of v4 and out of vs (which 
is the case in the given example profile). 


Two-Player Turn-Based Game Structures. They are specific cases of the previous 
model, where at each vertex, at most one player has more than one action in her 
set of allowed actions. But for convenience, we will give a simplified definition, 
with only objects that will be useful. A two-player turn-based game structure 
is a tuple G = (S, Seve, Sadam; Sinit, A, Allow, Tab), where S = Sgye U Sadam iS a 
finite set of states (states in Sgve belong to player Eve whereas states in Sadam 
belong to player Adam), sint E S is the initial state, A is a finite alphabet, 
Allow: S — 24 \ {Ø} gives the set of available actions, and Tab: S x A —> S is 
the next-state function. If s E€ Sgye (resp. Shaam), Allow(s) is the set of actions 
allowed to Eve (resp. Adam) in state s. 

In this context, strategies will see sequences of states and actions, with full 
information. Note that we do not include any winning condition or payoff func- 
tion in the tuple, hence the name structure. 


2.2 The Problem 


We are interested in the constrained existence of a Nash equilibrium. For sim- 
plicity, we define constraints using non-strict thresholds constraints, but could 
well impose more involved constraints. 


Problem 1 (Constrained existence problem). Given a game with signals 
G = (V, Unit, P, Act, X, Allow, Tab, (€4) ace, (payoff,) er) and threshold vectors 
(va) Ace, (Vy) Aer E Q, can we decide whether there exists a Nash equilibrium 
op from Vinit Such that for every A € P, v4 < payoff 4 (out(oe, Vinit)) < 1⁄4? If so, 
compute one. If the constraints on the payoff are trivial (that is, 14 = —oo and 
v's = +00 for every A € P), we simply speak of the existence problem. 


2.3 First Undecidability Results 


In this section we state two preliminary undecidability results. 


Theorem 1. - The existence problem in games with signals is wundecidable with 
three players and publicly visible Boolean w-regular payoff functions. 
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— The constrained existence problem in games with a public signal is undecidable 
with two players and privately visible mean payoff functions. 


Proofs of these results rely on the distributed synthesis problem [26] for the 
first one, and on blind two-player mean-payoff games [19] for the second one. 
While there is no real surprise in the first result since we know that arbitrary 
partial information yields intrinsic difficulties, the second one suggests restric- 
tions both to public signals and to publicly visible payoff functions. 

In the following we will focus on public signals and develop an epistemic 
game abstraction, which will record and track possible deviations in the game. 
This will then be applied to get decidability results in two frameworks assuming 
publicly visible payoff functions. 


3 The Epistemic Game Abstraction 


Building over [4,9], we construct an epistemic game, which will record pos- 
sible behaviours of the system, together with possible unilateral deviations. 
In [4], notions of epistemic Kripke structures are used to really track the precise 
knowledge of the players. These are mostly useful since undistinguishable states 
(expressed using signals here) are assumed arbitrary (no hierarchical structure). 
We could do the same here, but we think that would be overly complex and hide 
the real structure of knowledge in the framework of public signals. We therefore 
prefer to stick to simpler subset constructions, which are more commonly used 
(see e.g. [27] or later [14,19,22]), though it has to be a bit more involved here 
since also deviations have to be tracked. 

Let G = (V, vinit, P, Act, X, Allow, Tab, £, (payoff) ser) be a concurrent game 
with public signal. We will first define the epistemic abstraction as a two-player 
game structure Eg = (Seve, Sadam, Sinit, X’, Allow’, Tab’), and then state the cor- 
respondence between G and Eg. The epistemic abstraction will later be used 
for decidability and algorithmics purposes. For clarity, we use the terminology 
“vertices” in G and “states” (or “epistemic states”) in Eg. 


3.1 Construction of the Game Structure Eg 


The game Eg will be played between two players, Eve and Adam. The aim of 
Eve is to build a suitable Nash equilibrium, whereas the aim of Adam is to prove 
that it is not an equilibrium; in particular, Adam will try to find a profitable 
deviation (to disprove the claim of Eve that she is building a Nash equilibrium). 
Choices available to Eve and Adam in the abstract game have to reflect partial 
knowledge of the players in the original game G. States in the abstract game will 
therefore store information, which will be sufficient to infer the undistinguisha- 
bility relation of all the players in the original game. Thanks to the public signal 
assumption, this information will be simple enough to have a simple structure. 

In the following, we set PŁ = PU {L}, where L is a fresh symbol. For 
convenience, if m € Act”, we extend the notation m(—A) when A E P to P+ by 
setting m(—L) =m. We now describe all the components of Eg. 
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A state of Eve will store a set of vertices of the original game one can be 
in, together with possible deviators. More precisely, states of Eve are defined as 
Seve = {8: Pt — 2” | |s(L)| < 1}. Let s € Seve. If A € P, vertices of s(A) are 
those where the game can be in, assuming one has followed the suggestions of 
Eve so far, up to an A-deviation; on the other hand, if s(L) 4 Ø, the single vertex 
v € s(L) is the one the game is in, assuming one has followed all suggestions by 
Eve so far (in particular, if Eve is building a Nash equilibrium, then this vertex 
belongs to the main outcome of the equilibrium). We define sit(s) = {(v, A) € 
V x P~ |v € s(A)} for the set of situations the game can be in at s: 


(a) (v, L) € sit(s) is the situation where the game has proceeded to vertex v 
without any deviation; 

(b) (v, A) € sit(s) with A € ? is the situation where the game has proceeded to 
vertex v benefitting, from an A-deviation. 


Structure of state s will allow to infer the undistinguishability relation of all 
the players in game G: basically (and we will formalize this later), if she is not 
responsible for a deviation, player A € P will not know in which of the situations 
of sit(s) \ V x {A} the game has proceeded; if she is responsible for a deviation, 
player A will know exactly in which vertex v € s(A) the game has proceeded. 

Let s € Stve. From state s, Eve will suggest a tuple of moves M, one for each 
possible situation (v, A) € sit(s). This tuple of moves has to satisfy the undis- 
tinguishability relation: if a player does not distinguish between two situations, 
her action should be the same in these two situations: 


Allow’ (s) = {m c [| Allow(w) | ¥(vs, B), (ve, C) € sit(s), 


(v, A)Esit(s) 
VA € £\ {B,C}, M(vp, B)(A) = M(vc,€)(A)} 


In the above set, the constraint M (vg, B)(A) = M(vc,C)(A) expresses the fact 
that player A should play the same action in the two situations (vg, B) and 
(vc, C), since she does not distinguish between them. Obviously, we assume X” 
contains all elements of Allow’(s) above. 

States of Adam are then copies of states of Eve with suggestions given by 
Eve, that is: Sadam = {(s,M) | s E€ Seve X Allow’(s)}. And naturally, we define 
Tab’(s, M) = (s, M) if M € Allow(s). 

Let (s, M) © Sadam: From state (s, M), Adam will choose a signal value which 
can be activated from some situation allowed in s, after no deviation or a single- 
player deviation w.r.t. M. From a situation (v, A) € sit(s) with A € ®, only 
A-deviations can be allowed (since we look for unilateral deviations), hence any 
signal activated by an A-deviation (w.r.t. M (v, A)) from v should be allowed. 
From the situation (v, L) € sit(s) (if there is one), one can continue without any 
deviation, or any kind of single-player deviation should be allowed, hence the 
signal activated by M (v, L) from v should be allowed, and any signal activated 
by some A-deviation (w.r.t. M (v, L)) from v should be allowed as well. Formally: 
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JAEP 
deaa es (i) m(—A) = M(x, A)(—A) 
Allo ( ,M) BEX -o ee s.t (ii) &(m, Tab ee 
du € s(L) 
5 e. (ü) m(—A) = M(v, 1)(-4) 
Ud BEL) Ime Act” s.t 2 
Step. (ii) Km, Tab(v,m)) = £ 


Note that we implicitly assume that X” contains X. 

It remains to explain how one can compute the next state of some (s, M) € 
Sadam after some signal value 3 € Allow (s,M). The new state has to repre- 
sent the new knowledge of the players in the original game when they have 
seen signal 8; this has to take into account all possible deviations that we 
have already discussed which activate the signal value 3. The new state is the 
result of several simultaneous subset constructions, which we formalize as fol- 
lows: s’ = Tab'((s, M), 8), where for every A € P+, v' € s‘(A) if and only if 
there is m € Act” such that 3 = ¢(m,v’), and 


1. either there is v € s(A) such that m(—A) = M(v, A)(—A) and v’ = Tab(v, m); 
2. or there is v € s(L) such that m(—A) = M(v, L)(—A) and v’ = Tab(v, m). 


Note that in case A = L, the two above cases are redundant. 
Before stating properties of Eg, we illustrate the construction. 


Example 2. We consider again the example of Fig.1, and we assume that the 
public signal when reaching the leaves of the game is uniformly orange. We depict 
(part of) the epistemic game abstraction of the game on Fig. 2. One can notice 
that from Eve-states sı and s2, moves are multi-dimensional, in the sense that 
there is one move per vertex appearing in the state. There are nevertheless com- 
patibility conditions which should be satisfied (expressed in condition Allow’); 
for instance, from s2, player Ay does not distinguish between the two options (i) 
A, has deviated and the game is in v4, and (ii) A3 has deviated and the game 
is in vs, hence the action of player Ag should be the same in the two moves (a 
in the depicted example, written in red). 


3.2 Interpretation of this Abstraction 


While we gave an intuitive meaning to the (epistemic) states of Eg, we now need 
to formalize this. And to do that, we need to explain how full histories and plays 
in Eg can be interpreted as full histories and plays in G. 

Let vo € V, and define so: Pt — 2V € Seve such that so(L) = {vo} 
and s9(A) = @ for every A € ®. In the following, when M € Allow(s) 
for some s € Steve, if we speak of some M(v, A), we implicitly assume that 


(v, A) € sit(s). Given a full history H = so aS (so, Mo) Bo, aa (sı, Mı) ua 
S2... (Sp—1, My_1) TY sk in Eg, we write concrete(H) for the set of full his- 
tories in the original game, which correspond to H, up to a single deviation, 


that is: vo 22, i Z v2... Ukl D ug € concrete(H) whenever for every 
0 < a k— 1, Viel = Tab(v;, mi) and Ĝi = l(mi, vi+1), and: 


Games on Graphs with a Public Signal Monitoring 541 


L++{(0,1,0)} 
Ai {(1,1,0)} 


Adam-state 


(a,b,a) 


Eve-state 


Ai++{(0,0,0)} 
A20 
A3={(1,0,0),(0,0,0)} 


Fig. 2. Part of the epistemic game corresponding to the game of Fig. 1. For clarity, 
symbol — is for any choice a or b (the precise choice is meaningless). (Color figure 
online) 


(a) either m; = M;(v;, L) for every 0< i< k-1; 
(b) or there exist A € P and 0 < io < k — 1 such that 
(i) for every 0 < i < io, m; = Mi(vi, L); 
(ii) Mig # Mig (vio; L), but Mio(—A) _ Mio (vio; L)(—4A); 
(iii) for every io < i < k — 1, m;(—A) = M;(v;, A)(—A). 


Case (a) corresponds to a concrete history with no deviation (all moves suggested 
by Eve have been followed). Case (b) corresponds to a deviation by player A, 
and ig is the position at which player A has started deviating. 

We write concrete, (H) for the set of histories of type (a); there is at most 
one such history, which is the real concrete history suggested by Eve. And we 
write concrete,(H) for the set of histories of the type (b) with deviator A. The 
correctness of the approach is obtained thanks to the following characterization 
of the undistinguishability relations along H: for every A € ®, for every hy # 
he € concrete(H), 


hy ~a he iff hi, he  concretea( H). 


In particular, a player may not distinguish between deviations by other players, 
or between a deviation by another player and the real concrete history suggested 
by Eve. But of course, in any case, a player will know that she has deviated! 

We extend all these notions to full plays. A full play visiting only Eve-states 
s such that s(L) 4 @ is called a 1-play. 
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3.3. Winning Condition of Eve 


A zero-sum game will be played on the game structure Eg, and the winning 
condition of Eve will be given on the branching structure of the set of outcomes 
of a strategy for Eve, and not individually on each outcome, as standardly in 
two-player zero-sum games. We write Sinit for the state of Eve such that Sint( L) = 
{vinit} and sinit(A) = @ for every A € P. Let p = (pa)ace € R’, and dgye be a 
strategy for Eve in Eg; it is said winning for p from Sinit whenever payoff(p) = p, 
where p is the unique element of concrete, (out, (Ogve, Sinit)) (where we write 
out, (gye; Sinit) for the unique outcome of Ogye from Sinit which is a 1-play), 
and for every R € out(Cgve, Sinit), for every A E P, for every p € concrete,(R), 
payoff 4 (p) < pa. 

For every epistemic state s € Sgye, we define the set of suspect players 
susp(s) = {A € P| s( A) 4 Ø} (this is the set of players that may have deviated). 


P ; M p Mk Bk 
By extension, if R = so => (so, Mo) —> s1...8% — (sk, Mpk) Œ Ski... 


we define susp(R) = liMmk—>oo susp(s,). Note that the sequence (susp(s,))x is 
non-increasing, hence it stabilizes. 

Assuming public visibility of the payoff functions in G, we can define when R 
is a full play in Eg, and A € P, payoff'4 (R) = payoff 4 (p), where p € concrete(R). 
It is easy to show that payoff’, is well-defined for every A € P. Under this assump- 
tion, the winning condition of Eve can be rewritten as: Ogye is winning for p from 
Sinit Whenever payoff (out, (Ggve, Sinit)) = p, and for every R € out(cgye, Sinit), for 
every A € susp(R), payoff,(R) < pa. 


3.4 Correction of the Epistemic Abstraction 


The epistemic abstraction tracks everything that is required to detect Nash 
equilibria in the original game, which we make explicit in the next result. Note 
that this theorem does not require public visibility of the payoff functions. 


Theorem 2. Let G be a concurrent game with public signal, and p € R. There 
is a Nash equilibrium in G with payoff p from Vine if and only if Eve has a 
winning strategy for p in Eg from Sinit. 


The proof of this theorem highlights a correspondence between Nash equilib- 
ria in G and winning strategies of Eve in Eg. In this correspondence, the main 
outcome of the equilibrium in G is the unique |-concretisation of the unique 
t-play generated by the winning strategy of Eve. 


3.5 Remarks on the Construction 


We did not formalize the epistemic unfolding as it is made in [4]. We believe we 
do not really learn anything for public signal using it. And the above extended 
subset construction can much better be understood. 

One could argue that this epistemic game gives more information to the 
players, since Eve explicitely gives to everyone the move that should be played. 
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But in the real game, the players also have that information, which is obtained 
by an initial coordination of the players (this is required to achieve equilibria). 

Finally, notice that the espitemic game constructed here generalizes the sus- 
pect game construction of [9], where all players have perfect information on the 
states of the game, but cannot see the actions that are precisely played. Some- 
how, games in [9] have a public signal telling the state the game is in (that is, 
L(m, v) = v). So, in the suspect game of [9], the sole uncertainty is in the players 
that may have deviated, not in the set of states that are visited. 


Remark 1. Let us analyze the size of the epistemic game abstraction. The size of 
the alphabet is bounded by |X| + |Act||®?HIVIQ+2)), Furthermore, |X| is bounded 
by |V|- |Act|!?l. The number of states is therefore in O(2!2HV1 . |Act|!#/IVl). The 
epistemic game is therefore of exponential size w.r.t. the initial game. Note that 
we could reduce the bounds by using tricks like those in [9, Proposition 4.8], but 
this would not avoid an exponential blowup. 


4 Two Applications with Publicly Visible Payoffs 


While the construction of the epistemic game has transformed the computation 
of Nash equilibria in a concurrent game with public signal to the computa- 
tion of winning strategies in a two-player zero-sum turn-based game, we can- 
not apply standard algorithms out-of-the-box, because the winning condition is 
rather complex. In the following, we present two applications of that approach 
in the context of publicly visible payoffs, one with Boolean payoff functions, and 
another with mean payoff functions. Remember that in the latter case, public 
visibility is required to have decidability (Theorem 1). 

The epistemic game has a specific structure, which can be used for algorith- 
mics purpose. The main outcome of a potential Nash equilibrium is given by a 
-play, that is, a play visiting only epistemic states s with s(L) Æ Ø. There are 
now two types of deviations: 


(i) those that are invisible to all players (except the deviator): they are tracked 
along the main 1-play. Assuming public visibility of the payoff functions, 
such a deviation cannot be profitable to any of the players (the payoff of 
all concrete plays along that L-play coincides with the payoff of the main 
outcome), hence no specific punishing strategy has to be played. 

(ii) those that leave the main l-play at some point, and visit only epistemic 
states s such that s(L) = Ø from that point on: those are the deviations that 
need to be punished. Note nevertheless that the deviator may not precisely 
be known by all the players, hence punishing strategies need to take this into 
account. However, the set of potential deviators along a deviating play is 
non-increasing, and we can solve subgames with specific subsets of potential 
deviators separately (e.g. in a bottom-up approach). The winning objectives 
in those subgames will depend on the payoff functions (and will mostly be 
conjunctions of constraints on those functions), and also on the value of 
those payoff functions along the main outcome. 
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Using such an approach and results of [16] on generalized parity games, we 
obtain the following result for Boolean w-regular payoff functions: 


Theorem 3. The constrained existence problem is in EXPSPACE and 
EXPTIME-hard for concurrent games with public signal and publicly visible 
Boolean payoff functions associated with parity conditions. The lower bound holds 
even for Büchi conditions and two players. 


The same approach could be used for the ordered objectives of [9], which 
are finite preference relations over sets of w-regular properties. Also, we believe 
we can enrich the epistemic game construction and provide an algorithm to 
decide the constrained existence problem for Boolean w-regular invisible payoff 
functions. 

We have also investigated publicly visible mean payoff functions. While we 
could have used the same bottom-up approach as above and applied results 
from [12,13], we adopt an approach similar to that of [11], which consists in 
transforming the winning condition of Eve in Eg into a so-called polyhedron 
query in a multi-dimensional mean-payoff game. Given such a game, a polyhe- 
dron query asks whether there exists a strategy for Eve which achieves a payoff 
belonging to some given polyhedron. Using this approach, we get the following 
result: 


Theorem 4. The constrained existence problem is in NPNEXPTIME (hence in 
EXPSPACE) and EXPTIME-hard for concurrent games with public signal and 
publicly visible mean payoff functions. 


5 Conclusion 


In this paper, we have studied concurrent games with imperfect monitoring mod- 
elled using signals. We have given some undecidability results, even in the case of 
public signals, when the payoff functions are not publicly visible. We have then 
proposed a construction to capture single-player deviations in games with public 
signals, and reduced the search of Nash equilibria to the synthesis of winning 
strategies in a two-player turn-based games (with a rather complex winning con- 
dition though). We have applied this general framework to two classes of payoff 
functions, and obtained decidability results. 

As further work we wish to understand better if there could be richer com- 
munication patterns which would allow representable knowledge structures for 
Nash equilibria and thereby the synthesis of Nash equilibria under imperfect 
monitoring. A source of inspiration for further work will be [28]. 
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Abstract. We investigate data-enriched models, like Petri nets with 
data, where executability of a transition is conditioned by a relation 
between data values involved. Decidability status of various decision 
problems in such models may depend on the structure of data domain. 
According to the WQO Dichotomy Conjecture, if a data domain is homo- 
geneous then it either exhibits a well quasi-order (in which case decid- 
ability follows by standard arguments), or essentially all the decision 
problems are undecidable for Petri nets over that data domain. 

We confirm the conjecture for data domains being 3-graphs (graphs 
with 2-colored edges). On the technical level, this results is a significant 
step beyond known classification results for homogeneous structures. 


1 Introduction 


In Petri nets with data, tokens carry values from some data domain, and exe- 
cutability of transitions is conditioned by a relation between data values involved. 
One can consider unordered data, like in [25], i.e., an infinite data domain with 
the equality as the only relation; or ordered data, like in [21], i.e., an infinite 
densely totally ordered data domain; or timed data, like in timed Petri nets [1] 
and timed-arc Petri nets [15]. In [19] an abstract setting of Petri nets with an 
arbitrary fixed data domain A has been introduced, parametric in a relational 
structure A. The setting uniformly subsumes unordered, ordered and timed data 
(represented by A = (N, =), A = (Q, <) and A = (Q, <, +1), respectively). 
Following [19], in order to enable finite presentation of Petri nets with data, 
and in particular to consider such models as input to algorithms, we restrict 
to relational structures A that are homogeneous [23] and effective (the formal 
definitions are given in Sect.2). Certain standard decision problems (like the 
termination problem, the boundedness problem, or the coverability problem, 
jointly called from now on standard problems) are all decidable for Petri nets with 
ordered data [21] (and in consequence also for Petri nets with unordered data), 
as the model fits into the framework of well-structured transition systems of [11]. 
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Most importantly, the structure A = (Q, <) of ordered data admits well quasi- 
order (WQO) in the following sense: for any WQO X, the set of finite induced 
substructures of (Q, <) (i.e., finite total orders) labeled by elements of X, ordered 
naturally by embedding, is a WQo (this is exactly Higman’s lemma). Moreover, 
essentially the same argument can be used for any other homogeneous effective 
data domain which admits w@o (see [19] for details). On the other hand, for 
certain homogeneous effective data domains A the standard problems become 
all undecidable. In the quest for understanding the decidability borderline, the 
following hypothesis has been formulated in [19]: 


Conjecture 1 (WQo Dichotomy Coinjecture [19]). For an effective homogeneous 
structure A, either A admits w@o (in which case the standard problems are 
decidable for Petri nets with data A), or all the standard problems are undecid- 
able for Petri nets with data A. 


According to [19], the conjecture could have been equivalently stated for another 
data-enriched models, e.g., for finite automata with one register [2]. In this 
paper we consider, for the sake of presentation, only Petri nets with data. 
Weo Dichotomy Conjecture holds in special cases when data domains A are 
undirected or directed graphs, due to the known classifications of homogeneous 
graphs [6,18]. 


Contributions. We confirm the W@o Dichotomy Conjecture for data domains 
A being strongly! homogeneous 3-graphs. A 3-graph is a logical structure with 
three irreflexive symmetric binary relations such that every pair of elements of 
A belongs to exactly one of the relations (essentially, a clique with 3-colored 
edges). 

Our main technical contribution is a complex analysis of possible shapes of 
strongly homogeneous 3-graphs, constituting the heart of the proof. We believe 
that this is a significant step towards full classification of homogeneous 3-graphs. 
The classification of homogeneous structures is a well-known challenge in model 
theory, and has been only solved in some cases by now: for undirected graphs [18], 
directed graphs (the proof of Cherlin spans a book [6]), multi-partite graphs [16], 
and few others (the survey [23] is an excellent overview of homogeneous struc- 
tures). Although the full classification of homogeneous 3-graphs was not our 
primary objective, we believe that our analysis significantly improves our under- 
standing of these structures and can be helpful for classification. 

Our result does not fully settle the status of the WQo Dichotomy Conjecture. 
Dropping the (mild) strong homogeneity assumption, as well as extending the 
proof to arbitrarily many symmetric binary relations, is left for future work. 


Related Research. Net models similar to Petri nets with data have been continu- 
ously proposed since the 80s, including, among the others, high-level Petri nets [13], 
colored Petri nets [17], unordered and ordered data nets [21], v-Petri nets [25], 


1 Strong homogeneity is a mild strengthening of homogeneity. 
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and constraint multiset rewriting [5,8,9]. Petri nets with data can be also con- 
sidered as a reinterpretation of the classical definition of Petri nets in sets with 
atoms [3,4], where one allows for orbit-finite sets of places and transitions instead 
of just finite ones. The decidability and complexity of standard problems for Petri 
nets over various data domains has attracted a lot of attention recently, see for 
instance [14,21,22, 24,25]. 

Waos are important for their wide applicability in many areas. Studies of 
WQOs similar to ours, in case of graphs, have been conducted by Ding [10] and 
Cherlin [7]; their framework is different though, as they concentrate on subgraph 
ordering while we investigate induced subgraph (or substructure) ordering. 


2 Petri Nets with Homogeneous Data 


In this section we provide all necessary preliminaries. Our setting follows [19] 
and is parametric in the underlying logical structure A, which constitutes a data 
domain. Here are some example data domains: 


— Equality data domain: natural numbers with equality A= = (N, =). Note that 
any other countably infinite set could be used instead of natural numbers, as 
the only available relation is equality. 

— Total order data domain: rational numbers with the standard order A< = 
(Q, <). Again, any other countably infinite dense total order without extremal 
elements could be used instead. 

— Nested equality data domain: Ay = (N?,=1,=) where =; is equality on the 
first component: (n,m) =1 (n’,m’) ifn = n’ and m 4m’. Essentially, A is an 
equivalence relation with infinitely many infinite equivalence classes. 


Note that two latter structures essentially extend the first one: in each case the 
equality is either present explicitly, or is definable. From now on, we always 
assume a fixed countably infinite relational structure A with equality over a 
finite vocabulary (signature) X. 


Petri Nets with Data. Petri nets with data are exactly like classical 
place/transition Petri nets, except that tokens carry data values and these data 
values must satisfy a prescribed constraint when a transition is executed. For- 
mally, a Petri net with data A consists of two disjoint finite sets P (places) and 
T (transitions), the arcs A C PxT UTP, and two labelings: 


— arcs are labelled by pairwise disjoint finite nonempty sets of variables; 

— transitions are labelled by first-order formulas over the vocabulary X of A, 
such that free variables of the formula labeling a transition t belong to the 
union of labels of the arcs incident to t. 


Example 1. For illustration consider a Petri net with equality data A=, with two 
places pı, p2 and two transitions t,,t2 depicted on Fig. 1. Transition tı outputs 
two tokens with arbitrary but distinct data values onto place pı. Transition tə 
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Fig. 1. A Petri net with equality data, with places P = {p1,p2} and transitions T = 
{tı, t2}. In the shown configuration, t2 can be fired: consume two tokens carrying 3, 
and put, e.g., token carrying 4 on pı and tokens carrying 4,6 on po. 


inputs two tokens with the same data value, say a, one from pı and one from 
p2, and outputs 3 tokens: two tokens with arbitrary but equal data values, say 
b, one onto pı and the other onto p2; and one token with a data value c 4 a 
onto p2. Note that the transition tg does not specify whether b = a, or b = c, 
or b Æ a,c, and therefore all three options are allowed. Variables y;, y2 can be 
considered as input variables of t2, while variables z1, z2, z3 can be considered as 
output ones; analogously, tı has no input variables, and two output ones 71, £2. 


The formal semantics of Petri nets with data is given by translation to multi- 
set rewriting. Given a set X, finite or infinite, a finite multiset over X is a finite 
(possibly empty) partial function from X to positive integers. In the sequel let 
M(X) stand for the set of all finite multisets over X. A multiset rewriting system 
(P,T) consists of a set P together with a set of rewriting rules: 


T © M(P)x M(P). 


Configurations C € M(P) are finite multisets over P, and the step relation 
— between configurations is defined as follows: for every (I,O) € T and every 
M € M(P), there is the step (+ stands for multiset union) 


M=+I — M+0O. 


For instance, a classical Petri net induces a multiset rewriting system where P is 
the set of places, and T is essentially the set of transitions, both P and T being 
finite. Configurations correspond to markings. 

A Petri net with data A induces a multiset rewriting system (P,7), where 
P = P x A and thus is infinite. Configurations are finite multisets over P x A 
(cf. a configuration depicted in Fig. 1). The rewriting rules T are defined as 


T = U Ti, 
teT 


where the relation JT, C M(P) x M(P) is defined as follows: Let ¢ denote the 
formula labeling the transition t, and let X;, Xo be the sets of input and output 
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variables of t. Every valuation v; : X; — A gives rise to a multiset M,, over 
P, where M,,(p,a) is the (positive) number of variables x labeling the arc (p, t) 
with v;(a) = a. Likewise for valuations vo : Xo — A. Then let 


Ti = { (Mi,, Mo,) | vi : Xi > A, vo: Xo > À, Vi,Vo FR oO}. 


Like P, the set of rewriting rules 7 is infinite in general. 
As usual, for a net N and its configuration C, a run of (N,C) is a maximal, 
finite or infinite, sequence of steps starting in C. 


Remark 1. As for classical Petri nets, an essentially equivalent definition can be 
given in terms of vector addition systems (such a variant has been used in [14] for 
equality data). Petri nets with equality data are equivalent to (even if defined 
differently than) unordered data Petri nets of [21], and Petri nets with total 
ordered data are equivalent to ordered data Petri nets of [21]. 


Effective Homogeneous Structures. For two relational 5/-structures A and 
B we say that A embeds in B, written A < B, if A is isomorphic to an induced 
substructure of B, i.e., to a structure obtained by restricting B to a subset of its 
domain. This is witnessed by an injective function? h : A — B, which we call 
embedding. We write AGE(A) = {A a finite structure | A < A } for the class of 
all finite structures that embed into A, and call it the age of A. 

Homogeneous structures are defined through their automorphisms: A is 
homogeneous if every isomorphism of two its finite induced substructures extends 
to an automorphism of A. In the sequel we will also need an equivalent defini- 
tion using amalgamation. An amalgamation instance consists of three structures 
A, Bı, B2 E AGE(A) and two embeddings hı : A — Bı and hg: A > Bo. A solu- 
tion of such instance is a structure C E€ AGE(A) and two embeddings gı : By — C 
and g2 : B2 — C such that gı 0h; = g20 he (we refer the reader to [12] for further 
details). Intuitively, C represents ‘gluing’ of B, and Bz along the partial bijection 
hz o (hy *). In this paper we will restrict ourselves to singleton amalgamation 
instances, where only one element of Bı is outside of hı (A), and likewise for B2. 

An example singleton amalgamation instance is ea on 
the right, where the graph A consists of the single edge con- | 
necting two middle black nodes, By is the left triangle, and By ~ 
the right one. The dashed line represents an edge that may 
(but does not have to) appear in a solution. A is homogeneous if, and only if 
every amalgamation instance has a solution; in such case we say that AGE(A) 
has the amalgamation property. See [23] for further details. 

A solution C necessarily satisfies g,(h1(A)) = go(h2(A)) © gi(B1) 9 g2(B2); 
a solution is strong if gi(hi(A)) = g1(B1) A go(B2). Intuitively, this forbids addi- 
tional gluing of 6; and Bz not specified by the partial bijection hz o (hy~'). If 
every amalgamation instance has a strong solution we call A strongly homoge- 
neous. This is a mild restriction, as homogeneous structures are typically strongly 
homogeneous. 


2 We deliberately do not distinguish a structure A from its domain set. 
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The equality, nested equality, and total order data domains are strongly 
homogeneous structures. For instance, in the latter case finite induced substruc- 
tures are just finite total orders, which satisfy the strong amalgamation property. 
Many other natural classes of structures have the amalgamation property: finite 
graphs, finite directed graphs, finite partial orders, finite tournaments, etc. Each 
of these classes is the age of a strongly homogeneous relational structure, namely 
the universal graph (called also random graph), the universal directed graph, 
the universal partial order, the universal tournament, respectively. Examples of 
homogeneous structures abound [23]. 

Homogeneous structures admit quantifier elimination: every first-order for- 
mula is equivalent to (i.e., defines the same set as) a quantifier-free one [23]. 
Thus it is safe to assume that formulas labeling transitions are quantifier-free. 


Admitting wao. A well quasi-order (WQO) is a well-founded quasi-order with 
no infinite antichains. For instance, finite multisets M(P) over a finite set P, 
ordered by multiset inclusion C, are a WQO. Another example is the embedding 
quasi-order < in AGE(A<) (= all finite total orders) isomorphic to the ordering 
of natural numbers. Finally, the embedding quasi-order in AGE(A) can be lifted 
from finite structures to finite structures labeled by elements of some ordered set 
(X, <): for two such labeled structures a: A — X and b : B — X we define 
a<lx b if some embedding h : A — B satisfies a(x) < b(h(x)) for every x € A. We 
say that A admits WQo when for every WQO (X, <), the lifted embedding order 
<x is a WQO too. For instance, A< admits WQo by Higman’s lemma. The WQo 
Dichotomy Conjecture for homogeneous undirected (and also directed) graphs 
is easily shown by inspection of the classifications thereof [6,18]: 


Theorem 1. A homogeneous graph A either admits WQO, or all standard prob- 
lems are undecidable for Petri nets with data A. 


Note the natural correspondence between configurations of a Petri net with data 
A, and structures A € AGE(A) labeled by finite multisets over the set P of places: 


M(PxA) = {m:A> M(P)|Ae AGE(A)}. 


Thus the lifted embedding quasi-order <Im(p) is an order on configurations. 


Standard Decision Problems. A Petri net with data N can be finitely repre- 
sented by finite sets P, T, A and appropriate labelings with variables and formu- 
las. Due to the homogeneity of A, a configuration C can be represented (up to 
automorphism of A) by a structure A € AGE(A) labeled by M(P). We can thus 
consider the classical decision problems that input Petri nets with data A, like 
the termination problem: does a given (N,C) have only finite runs? The data 
domain is considered as a parameter, and hence itself does not constitute part 
of input. Another classical problem is the place non-emptiness problem (mark- 
ability): given (V,C) and a place p of N, does (N,C) admit a run that puts 
at least one token on place p? One can also define the appropriate variants 
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of the coverability problem (equivalent to the place non-emptiness problem), 
the boundedness problem, the evitability problem, etc. (see [19] for details). All 
the decision problems mentioned above we jointly call standard problems. 

A structure A is called effective if the following age problem for A is decid- 
able: given a finite X-structure A, decide whether A < A. If A admits WQo then 
application of the framework of well-structured transition systems [11] to the 
lifted embedding order < m(p) yields: 


Theorem 2 ((19]). If an effective homogeneous structure A admits wQo then 
all the standard problems are decidable for Petri nets with data A. 


3 Results 


A 3-graph G = (V, C1, C2, C3) consists of a set V and three irreflexive symmetric 
binary relations C1, C2,C3 C V? such that every pair of distinct elements of V 
belongs to exactly one of the three relations. In the sequel we treat a 3-graph as 
a clique with 3-colored edges. Any graph, including A and Aj, can be seen as a 
3-graph. Our main result confirms the WQo Dichotomy Conjecture for strongly 
homogeneous 3-graphs: 


Theorem 3. An effective strongly homogeneous 3-graph G either admits WQO, 
or all standard problems are undecidable for Petri nets with data G. 


The core technical result of the paper is Theorem 4 below. A path is a finite 
graph with nodes {v1,...,Un} whose only edges are pairs {v;, v;41}. The nodes 
V1, Un are ends of the path, and n is its length. 


Theorem 4. A strongly homogeneous 8-graph G either admits WQO, or for 
some i,j € {1,2,3} (not necessarily distinct) the graph (V,C; UC;) contains 
arbitrarily long paths as induced subgraphs. 


In the rest of the paper we concentrate solely on (parts of) the proof of Theo- 
rem 4. The omitted parts, and well as the proof that Theorem 4 implies Theo- 
rem 3, are to be found in the full version of this paper [20]. 


Example 2. For a quasi-order (X,<), the multiset inclusion is defined as follows 
for m,m’ E€ M(X): m is included in m if m’ is obtained from m by a sequence of 
operations, where each operation either removes some element, or replaces some 
element by a smaller one wrt. <. The structure A. = (N, =) admits wqo. Indeed, 
AGE(A_) contains just finite pure sets, thus < x is quasi-order-isomorphic to the 
multiset inclusion on M(X), and is therefore a WQO whenever the underlying 
quasi-order (X,<) is. Similarly, Ay = (N?,=1,=) also admits w@o, as <x is 
quasi-order-isomorphic to the multiset inclusion on M(M(X)). 
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On the other hand, consider a 3-graph (N?, =1,=2, 
#12) where = is symmetric to =; and (n,m) #12 
(n'm) ifn Æ n’ and m # m. It refines Ay and does 
not admit wQo. Indeed, in agreement with Theorem 4, 
the graph (N?, =; U =2) contains arbitrarily long 
paths of the shape presented on the right, where the 
two colors depict =; and =2, respectively, and lack of 
color corresponds to #12. Note that (N?, =1, =2, 412) 
is homogeneous but not strongly so. 


4 Proof of Theorem 4 


From now on we consider a fixed 3-graph G = (V, C1, C2, C3) as data domain, 
assuming G to be countably infinite and strongly homogeneous. We treat 
G as a clique with 3-colored edges: we call C1,C2 and C3 colors and put 
Colors = {Cy,C2,C3} C P(V x V). To denote individual colors from this set, 
we will use variables a,b,c and x,y,z. A path in the graph (V,a Ub) we call 
ab-path (ab € Colors); for simplicity, we will write a-path instead of aa-path. 
Likewise we speak of ab-cliques, a-cliques, ab-cycles, etc. A triangle Aabc is a 
3-clique with edges colored by a,b,c. (Note that Aabc = Abca = Acba). 


Sketch of the Proof. The Lemma 1 below states that any 3-graph G has to meet 
one of the four listed cases. It splits the proof into four separate paths: 


Lemma 1 A) (vertices) (edges) (paths of len. 2) (any paths) 
(D a a a 
B) © Lemma 4 ` : 
e odee (in the full version) 
C) Lem 2, Thm 5. Lemma 3 Lemma 4 
De > SO CUS 
Se © Lemma 5 


@ — G embeds arbitrarily long paths @ - G admits WQO 


We present in detail only one of the three nontrivial paths — one corresponding to 
case (C). Cases (A) and (B) are treated in the full version [20]. Case (A) consti- 
tutes the most difficult part of the proof and involves a complex and delicate anal- 
ysis of consequences of the amalgamation property. It consists of four step that 
deduce extension of the assumed induced substructures by individual vertices, 
individual edges, paths of length 2, resp., culminating in derivation of arbitrarily 
long paths. Thus in case (A) only the second condition of Theorem 4 is possible, 
while in the other two cases both conditions of Theorem 4 may hold true. 


Lemma 1. Every homogeneous 3-graph G = (V, C1, C2, C3) satisfies one of the 
following conditions: 


(A) for some color c € Colors, G contains the following induced substructures: 
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a ? a 
(a) arbitrarily large (b) two triangles: Aaxc and Aacc 
c-cliques for some colors a,x different than c 


(B) for some colors x # y, (V,x U y) is a union of disjoint cliques, 
(C) for some color x, (V,x) is a union of finitely many disjoint infinite cliques, 
eo for some colors x # y, (V,x U y) contains arbitrarily long paths. 

roof. By Ramsey theorem, G contains an arbitrarily large monochromatic 


cliques. Let us state a bit stronger requirement: 


Condition @: For some a,c € Colors, G contains arbitrarily large c-cliques 
and a triangle Aacc with exactly two c-edges (a Æ c). 
Consider two cases, depending on whether the condition @ is satisfied or not. 


Case 1°. Assume that G contains both arbitrarily large c-cliques and a triangle 
Aacc for some a,c € Colors. Let b be the third, remaining color. Our goal will 
be to show that either (A) or (B) holds. 

If the graph (V, aUb) is a disjoint sum of cliques, we immediately obtain (B). 
Suppose the contrary. We get that G has to contain one of the three possible 
counterexamples for transitivity of relation a U b: 


o OR O 
LN —Aaac ¥ A- Aabc ¥ A Abbc 
a a 


If it contains the triangle Aaac or Aabc, case (A) holds. 

Suppose we got Abbc. Let us check this time whether colors a and c form 
a union of disjoint cliques. Again, if it is so, we easily get (B), so we assume the 
contrary. Similarly, we necessarily obtain one of the following triangles: 


LJ © LJ 
A- Aaab Ls —Aacb ¥ L\- Accb ¥ 
a a C 


This time case (A) also holds for two out of the three triangles above: 


— for Aacb, because together with subgraphs resulting from assumption @ (i.e. 
with triangle Aacc and the c-cliques) we get all graphs required by (A). 

— for Accb paired with the triangle Abbc we just obtained, using color b 
appearing in those triangles in place of a in condition (A). 


It only remains to consider the situation when we got Aaab. We use it together 
with previously obtained triangle Abbc to build the following instance of sin- 


gleton amalgamation: 
a o c 
K 
a C) b 
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Depending on the color of the dashed edge, in the solution we get one of the 
following triangles: 


oN — Aaac So — Aabc e — A^abc 


a 


and each one alone completes the requirements of (A). This closes case 1°. 


Case 2°. Suppose condition @ is false. Remind that G contains arbitrarily large 
c-cliques for some c € G. Since @ does not hold, the graph does not contain 
a triangle Acca — in other words, the color c appears only within cliques. We 
conclude that (V,c) is a union of disjoint cliques. Clearly at least one of such 
cliques has to be infinite. By homogeneity we get that all the cliques in (V,c) 
have to be infinite. Now our target is to show that either (C) or (D) holds. 

The case (C) is fulfilled when there are only finitely many c-cliques. Let us 
assume the contrary. In each of the c-cliques we chose one vertex. Edges between 
the chosen vertices form an infinite ab-clique K. Using Ramsey theorem again, 
we conclude that in K one of the colors a,b forms arbitrarily large monochro- 
matic cliques. W.1.0.g. suppose that this is color b. 

If the graph G contained Aybb for some y Æ b, then the assumptions of @ 
would be met, leading to a contradiction. Therefore we conclude that (V, b) is a 
union of disjoint infinite b-cliques. 

When there are only finitely many b-cliques, condition (C) is fulfilled. Oth- 
erwise we know that G is a union of infinitely many x-cliques for both x = c and 
x = b. Using homogenity, it is easy to show that then every pair of differently 
colored cliques has exactly one common vertex, so the graph G takes the form as 
depicted in Example 2. A graph of such form contains arbitrarily long bc-path, 
so the requirements of (D) are met. 


4.1 Case (C) 


Let c be the color that satisfies condition (C), and a, b — the remaining two 
colors. In this section we often treat G as the k-partite graph (V,a U b) (for 
some k € N): k cliques of color c allow to distinguish k groups of vertices 
VY, UV. U---U Vk = V (from now on we will refer to them as layers). The 
remaining two colors can be interpreted as existence (a) and nonexistence (b) 
of edges between these groups. 


Remark X: We observe that the special color c between vertices within each layer 
V; ensures that the automorphisms of G will not ‘mix’ those layers: when two 
vertices u,v belong to a common layer V;, then their images f(u), f(v) will also 
belong to some common layer V;, no matter what automorphism f € Aut(G) we 
choose. Obviously, the automorphisms can switch positions of whole layers, e.g. 
move all vertices from V; to some V; and vice versa—in this respect the layers 
are undistinguishable. 
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Lemma 2. For every i,j € {1,2,...,k} 
and a € Colors (a # c) the bipartite graph 
Gij = (ViUV;,an(ViUV;)?, Vi, Vj) (with two 
distinguishable sides V;, Vj) is homogeneous. V, os 


The vertex sets V; and V; are used here as 
unary relations that allow to tell the two lay- 
ers of G;,; (sides of G; j) apart. An example T ! 

is shown on the right, with three layers V1, V2 ( k8) lyers V3 
and V3, and three bipartite graphs G12, G23 

and G1,3- 


Proof. Fix G; j a bipartite graph. To prove its homogeneity we have to show that 
each isomorphism of two of its finite induced subgraphs may be extended to some 
automorphism of G; j. Let us then take some given automorphism f : Gi — G2 
for some finite induced subgraphs G1, G2 of G;,;. It is easy to extend it to a full 
automorphism when it ‘touches’ both layers of G; j, i.e.: 


V(Gi)NVi 40 A V(GLI)NV; 40 


where V (G1) is the set of vertices of G1. In this case, by homogeneity of G, we 
construct a full automorphism f’: G — G, which extends f. It is easy to see 
that in this case f’ has to fix the layers V; and V;, and hence f’ restricted to the 
graph G; ; is a correct automorphism of this graph. 

Things get more complicated when f operates only on some single layer 
of Gij. W.Lo.g. suppose that it ‘touches’ only V;, so V(G1) NV; = 0. Now 
the above construction will not work out of the box—if we were unlucky, the 
automorphism of G we get by homogeneity moves the whole layer Vj to some 
Vn located ‘outside’ the graph G; ; (n ¢ {i, j}). 

It will be handy to make the following observation: when f ‘touches’ only V; 
we may assume that V(G,) N V(G2) = Ø. Indeed, every function g : Gi > G2 
that violates this condition may be decomposed as g = f2 0 fı for some fi, fa: 


ey 2, 


such that H is disjoint both with Gi and with Go. 

Now, let N = |V(G1)| = |V(G2)| be the size of the domain of isomorphism f. 
Let us take an arbitrary infinite family (Sn)nen of subgraphs of G with disjoint 
vertex sets, such that the following conditions are met: 


— |V(Sn) O Vm| = 1 for m 4 i (and this single vertex will be denoted as vs), 
— |V (Sn) O V;| = N (denote these vertices as 3”), s, 3”), a s). 


We define a connection type of a layer V; with Vm in the graph Sn as the N- 
element sequence of colors of edges from the list bellow: 


(s, u, (39, ug... {8 oP 
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E.g. in the graph bellow, the connection type of layer V; = V3 with V, is abba, 
and with V2 — aaba (remembering that b is treated as lack of an edge): 


83 


Furthermore, we define the type of graph Sn to be the sequence of types 
arising between V; and other layers plus the list of edge-colors between all pairs 
of vertices vs”) (enumerated in some consistent way). As there are only finitely 
many such types, by pigeonhole principle there exists a pair of graphs Sa and 
Sa with the same type. 

Let us fix some order on vertices of G1: V(G1) = {g1, 92,---, gn}. Let h be 
the partial isomorphism that moves the vertices as follows: 


s > g sP > flg) 
sQ > gn s = f(gw) 


By homogeneity, it has to extend to a full automorphism h’ € Aut(G). In par- 
ticular, in the neighbourhood of G; and Gə there will be images of all vertices 


v™ of graphs Sa and Sp: 


h! (of) efa”) uth (Gay) wh! (of) renee (of) 


(for a in {a,b}). What follows is that G with added vertices h’ (vs) has the 


same type as Gp with h’ (v6?) respectively (that type may differ from the type 


of Sa and Sp though!). It is best illustrated on a picture: 


Sogo ae a eS Se 
| 


Al (vi) ai (vi?) 


Qı 


3? 


af) 3?) 
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Above, the colored triangles represent the types of connections. The order 
of those types may get permuted when applying h’, but still—in line with the 


remark æ — for each 8 € {1,2,...,k} \ {i} the vertex h’ (of?) must stay in 


the same layer as Ha 


), furthermore their type of connection with layer V; is 
preserved. 
Extending the isomorphism f in a natural way (thanks to the compatibility 


of types) on those newly obtained vertices: 
TORE 


we get an isomorphism that this time ‘operates’ on all layers Ve. If we now 
extend it to an automorphism of the whole G, we will get a function that fixes 
all layers Ve. This function may be safely restricted to V; U V}, staying a correct 
automorphism of our initial bipartite graph G; ;, which completes the proof. 


4,99 
We are going to apply to graphs G;,; the following classification result: 


Theorem 5 ([16]). A countably infinite homogeneous bipartite graph (with dis- 
tinguishable sides) is either empty, or full, or a perfect matching, or the comple- 
ment of a perfect matching, or a universal graph. 


From our point of view, all we need to know about the universal graph is that it 
contains arbitrarily long paths which — translated to our notation — would mean 
that G;; contains arbitrarily long a-paths. Therefore in our further consider- 
ations we assume that G; j is not universal which, in our notation, leaves two 
types of G;,j: 


1. all edges of G; ; have the same color x € {a,b}, ie. G,,; is a full or empty 
bipartite graph, 

2. one of the colors x € {a,b} forms a perfect matching in G 
(y #x) is then the complement of this matching. 


i,j, the second one 


Graphs of type 2. may be seen as bijections between their sets of vertices 
(layers). Lemma 3 states that those bijections have to agree with each other. 


Lemma 3. Let Vi, Vj, Vk be some arbitrary pairwise different layers, such that 
G; j is of type 2 and % : Vi — V; is the bijection it determines. Then y takes 
aN (Vi U Vk) to aN (V; U Vk), or to its complement. Formally: 


y V uavseyplu)avj|v VV mnuavewu)av 
uci vev guar uev: ven ~m ae 
a © 


Proof. We head towards a contradiction. Negating the claim we get: 


J aAA vV & ^A) A ( 3 3 -QA v Va) 


ea vVEVk uEVi vEVk 
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which leads to four cases with similar proofs. We will consider one of them 
(corresponding to =~ A and & ^ =@) and omit the other. Let us then assume 
that there exist x, x’ € V; and y,y’ E€ Vp such that: 


cay Ax ay A W(a)ay A -W(sr')ay/. 
Let g be a partial isomorphism of the form g = {x > 2’, y — y’}. By homogene- 
ity of G, there is some full automorphism g’ € Aut(G) extending g. If additionally 
we were able to force g to fix the layer V;, we would be almost done. Let us try 
to achieve that property. 
For that purpose, in V; we choose a vertex v such that: 


I. v € v({2,2’'}), 


Il. if Gj, is a graph of type 2. defining a bijection ¢ : Vk — Vj, then also 
v E pyy) 


Clearly such vertex must exist — two above conditions exclude at most 4 different 
vertices from the infinite set of candidates. The function g extended with v 4 v 
stays a correct isomorphism, because: 


— in G;,; by definition of isomorphism we need the edges {x,v} and {g(x), g(v)} 
to be equally colored, and, in fact, they are. We get this thanks to the condition 
I.: x is connected with all vertices from V; \ {w(x)} by x-edges, x € {a,b}. 
We similarly handle x’. 

— in turn in Gj, — if it is a graph of type 1, the needed equality of colors of 
edges {y,v} and {g(y),g(v)} trivially holds. If it is a graph of type 2, the 
equality of colors is derived similarly as in G; j, using the condition II. 


Presence of the vertex v ensures that layer V; is preserved by the full automor- 
phism g’ € Aut(G) we get by homogeneity. 

Since G; j is of type 2, the vertex y(x’) is the only possible choice for the 
image of y(x) under g’ — this is the only vertex 2’ is connected to by an 
appropriately colored edge. Because g’ is an automorphism, we get that y(x’) a 
y’, which leads us to the contradiction. 


From the lemma we have just proved one easily derives the following corollary: 
Corollary 1. The following relation = on layers is transitive: 
Vi = Vj > the graph Gi j is of type 2. 


Furthermore, if Vi = V; and V; = Vp then fik © fij = fin, where fij, fins Fir 
are the bijections determined by graphs Gi j, Gik and G; x. 


In Lemma 5 below, which is the last step of the proof of case (C), we will apply 
the following fact: 


Lemma 4. Consider a homogeneous 3-graph G and a partition of its vertex set 
V = Unen Un into sets Ue of equal finite cardinality. Suppose further that for 
every n € N, there is an automorphism nn of G that swaps Up with Un and is 
identity elsewhere. Then G admits WQo. 
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Proof. Let G = (V,a,b,c) be a 3-graph. Define for u € Up the sets Vu C V, 
which we call layers: 
Va ={tn(u)|n EN}. 


We will prove that the structure G’ = (V,a, b, c, (Vu )ucUa) admits wQo. This 
will imply that G admits wQo as well; indeed, compared to G, structure G’ is 
equipped with additional unary relations Ve, which only makes the order < in 
AGE(G’) finer than the analogous order in AGE(G). 

Let G,, denote the induced substructure of G’ on vertex set Un. By the 
assumptions, for every n,m € N there is a swap of U, and Um that, extended 
with identity elsewhere, is an automorphism of G’. In consequence, all structures 
Ge are isomorphic, and the embedding order < of induced substructures of G’ is 
isomorphic to finite multisets over AGE(G'o), ordered by multiset inclusion. Thus 
(AGE(G’), <) is isomorphic to the multiset inclusion in M(AGE(Go)), which is a 
WQo as Uo is finite. For any wQo (X, <), analogous isomorphism holds between 
the lifted embedding order (AGE(G’), <x) and the multiset inclusion in multisets 
over induced substructures of Go labeled by elements of X, and again the latter 
order is a WQoO. Thus G’ admits wao. 


Lemma 5. The 3-graph G admits WQO. 


Proof. We are going to prepare the ground for the use of Lemma 4. By Corollary 1. 


the vertex set V partitions into V = Ucn Un so that 


(a) every layer V; shares with every set Un exactly one vertex: Un N Vi = {ol}, 
b) if fij is the bijection determined by G;; (a graph of type 2.), then 
J J 
fl) € Un, so all the bijections preserve every set Ue. 


Intuitively, G can by cut into thin ‘slices’ perpendicular to the layers Ve. By thin 

we mean that the slices have exactly one vertex in each layer. The cut is made 

along the bijections dictated by the graphs of type 2. as in the picture bellow: 
Ur: Ug: Uz: Ug Us, Ug: Uzi Us: 


We observe that for every n, the bijection hn : V — V that swaps U; and Un 
along the only bijection U; — Un that preserves layers, and is identity elsewhere, 
is an automorphism of G. Indeed, for any three slices Ua, Ub, Ue we have that: 

(a) (c) @) (0) 


vj avj Uz av 


so the edges {a and {oof} are colored the same way. The above 


equivalence is obvious in case when G; j is a graph of type 1. In the case of 
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(c) 


graph of type 2, the vertex vį” is connected with all vertices from V; but one 


by x-edges for some x € {a,b}. However, the special vertex fig (vo) that is not 
connected by a x-edge, by the condition (b), also belongs to Ue, so it does not 
interfere with above equivalence. 


By Lemma 4 we deduce that G admits wWQo, which completes the proof. 
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Abstract. This paper describes a fully automatic technique for verify- 
ing safety properties of higher-order functional programs. Tree automata 
are used to represent sets of reachable states and functional programs 
are modeled using term rewriting systems. From a tree automaton rep- 
resenting the initial state, a completion algorithm iteratively computes 
an automaton which over-approximates the output set of the program 
to verify. We identify a subclass of higher-order functional programs for 
which the completion is guaranteed to terminate. Precision and termi- 
nation are obtained conjointly by a careful choice of equations between 
terms. The verification objective can be used to generate sets of equations 
automatically. Our experiments show that tree automata are sufficiently 
expressive to prove intricate safety properties and sufficiently simple for 
the verification result to be certified in Coq. 


1 Introduction 


Higher-order functions are an integral feature of modern programming languages 
such as Java, Scala or JavaScript, not to mention Haskell and Caml. Higher-order 
functions are useful for program structuring but pose a challenge when it comes 
to reasoning about the correctness of programs that employ them. To this end, 
the correctness-minded software engineer can opt for proving properties interac- 
tively with the help of a proof assistant such as Coq [13] or Isabelle/HOL [30], or 
write a specification in a formalism such as Liquid Types [31] or Bounded Refine- 
ment Types [33,34] and ask an SMT solver whether it can prove the verification 
conditions generated from this specification. This approach requires expertise of 
the formal method used, and both the proof construction and the annotation 
phase can be time consuming. 

Another approach is based on fully automated verification tools, where the 
proof is carried out automatically without annotations or intermediate lemmas. 
This approach is accessible to a larger class of programmers but applies to a more 
restricted class of program properties. The flow analysis of higher-order functions 
was studied by Jones [21] who proposed to model higher-order functions as term 
rewriting systems and use regular grammars to approximate the result. More 
recently, the breakthrough results of Ong [29] and Kobayashi [23, 24,26] show 
that combining abstraction with model checking techniques can be used with 
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success to analyse higher-order functions automatically. Their approach relies 
on abstraction for computing over-approximations of the set of reachable states, 
on which safety properties can then be verified. 

In this paper, we pursue the goals of higher-order functional verification using 
an approach based on the original term rewriting models of Jones. We present a 
formal verification technique based on Tree Automata Completion (TAC) [20], 
capable of checking a class of properties, called regular properties, of higher-order 
programs in a fully automatic manner. In our approach, a program is represented 
as a term rewriting system R and the set of (possibly infinite) inputs to this 
program as a tree automaton A. The TAC algorithm computes a new automaton 
A*, by completing A with all terms reachable from A by #-rewriting. This 
automaton representation of the reachable terms contains all intermediate states 
as well as the final output of the program. Checking correctness properties of 
the program is then reduced to checking properties of the computed automaton. 
Moreover, our completion-based approach permits to certify automatically A* 
in Coq [6], i.e. given A, R and A*, obtain the formal proof that A* recognizes 
all terms reachable from A by R-rewriting. 


Example 1. The following term rewriting system R defines the filter function 
along with the two predicates even and odd on Peano’s natural numbers. 


@(@(filter, p), cons(x,1)) — if @(p, x) then cons(x, @(Q(filter, p), 1)) 
else @(@(filter, p), 1) 
@(@(filter, p), nil) —> nil 
@(even,0) > true @(even, s(x)) > @(odd, x) 
@(odd,0) — false @Q(odd, s(x)) + @(even, x) 


This function returns the input list where all elements not satisfying the 
input boolean function p are filtered out. Variables are underlined and the special 
symbol @ denotes function application where @(f,2) means “x applied to f”. 


We want to check that for all lists l of natural numbers, @(@(filter, odd), l) 
filters out all even numbers. One way to do this is to write a higher-order predi- 
cate, exists, and check that there exists no even number in the resulting list, i.e. 
that @(@(ezxists, even), @(Q(filter, odd), 1)) always rewrites to false. Let A be the 
tree automaton recognising terms of form @(@(ezists, even), Q@(@(filter, odd), 1)) 
where l is any list of natural numbers. The completion algorithm computes an 
automaton A* recognising every term reachable from L(A) (the set of terms 
recognised by A) using R with the definition of the exists function. Formally, 


L(A*) = R*(L(A)) = {t | ds € L(A), s >% t} 


To prove the expected property, it suffices to check that true is not reachable, i.e. 
true does not belong to the regular set L(A*). We denote by regular properties 
the family of properties characterised by a regular set. In particular, regular 
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properties do not count symbols in terms, nor relate subterm heights (a property 
comparing the length of the list before and after filter is not regular) 

Termination of the tree automata completion algorithm is not ensured in 
general [19]. For instance, if R*(L(A)) is not regular, it cannot be represented 
as a tree automaton. In this case, the user can provide a set of equations that will 
force termination by introducing an approximation based on equational abstrac- 
tion |27]: L(A*) D> R*(L(A)). Equations make TAC powerful enough to ver- 
ify first-order functional programs [19]. However, state-of-the-art TAC has two 
short-comings. (i) Equations must be given by the user, which goes against full 
automation, and (ii) even with equations, termination is not guaranteed in the 
case of higher-order programs. In this paper we propose a solution to these short- 
comings with the following contributions: 


— We state and prove a general termination theorem for the Tree Automata 
Completion algorithm (Sect. 3); 

— From the conditions of the theorem we characterise a class of higher-order 
functional programs for which the completion algorithm terminates (Sect. 4). 
This class covers common usage of higher-order features in functional pro- 
gramming languages. 

— We define an algorithm that is able to automatically generate equations for 
enforcing convergence, thus avoiding any user intervention (Sect. 5). 


All proofs missing in this paper can be found in the accompanying technical 
report [17]. The paper is organised as follow: We describe the completion algo- 
rithm and how to use equations to ensure termination in Sect. 2.1. The technical 
contributions as described above are developed in Sects.3 to 5. In Sect. 6, we 
present a series of experiments validating our verification technique, and discuss 
the certification of results in Coq. We present related work in Sect. 7. Section 8 
concludes the paper. 


2 Background 


This section introduces basic concepts used throughout the paper. We recall the 
usual definitions of term rewriting systems and tree automata, and present the 
completion algorithm which forms the basis of our verification technique. 


2.1 Term Rewriting and Tree Automata 


Terms. An alphabet F is a finite set of symbols, with an arity function ar : 
F — N. Symbols represent constructors such as nil or cons, or functions such 
as filter, etc. For simplicity, we also write f € F” when f € F and ar(f) =n. 
For instance, cons € F? and nil € F°. An alphabet F and finite set of variables 
X induces a set of terms T(F, X) such that: 


LET(F, X) &rEX 
F(ti,...jtn) ET(F, X) f EF” and ti... tn ET(F, X) 
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A language is a set of terms. A term t is linear if the multiplicity of each variable 
in t is at most 1, and closed if it contains no variables. The set of closed terms is 
written T(F). A position in a term t is a word over N pointing to a subterm of 
t. Pos(t) is the set of positions in t, one for each subterm of t. It is defined by: 


Pos(x) = {A} 
Pos(f(ti,.--,tn)) = {A} U {tp | 1 <i<nApe Pos(t;)} 


where À is the empty word and “.” in i.p is the concatenation operator. For 
p € Pos(t), we write t|, for the subterm of t at position p, and ¢[s], for the 
term t where the subterm at position p has been replaced by s. We write s È t 
if t is a subterm of s and s © t if it is a subterm and s # t. If L C T(F), 
we write L> for the language £ and all its subterms. A substitution o is an 
application of ¥ +» T(F, æ), mapping variables to terms. We tacitly extend 
it to the endomorphism o : T(F, X) + T(F, X) where to is the result of the 
application of the term t to the substitution ø. 


Term Rewriting Systems. [1] provide a flexible way of defining functional 
programs and their semantics. A rewriting system is a pair (F,R), where F 
is an alphabet and R a set of rewriting rules of the form l — r, where l,r € 
T(F,X), L X and Var(r) C Var(l). A TRS can be seen as a set of rules, each 
of them defining one step of computation. We write R a rewriting system (F, R) 
if there is no ambiguity on F. A rewriting rule l — r is said to be left-linear if 
the term l is linear. Example 1 shows a TRS representing a functional program, 
where each rule is left-linear. In that case we say that the TRS œR is left-linear. 

A rewriting system R induces a rewriting relation —p where for alls s,t € 
T(F, X), s >r t if it exists a rule 1 —> r € R, a position p € Pos(s) anda 
substitution ø such that lo = s|p and t = s|ro]p. The reflexive-transitive closure 
of >r is written >}. The rewriting system introduced in the previous example 
also derives a rewriting relation —, where 


@(Q( filter, odd), cons(0, cons(s(0), nil))) =>% cons(s(0), nil) 


The term cons(s(0), nil) is irreducible (no rule applies to it) and hence the result 
of the function call. We write IRR(R) for the set of irreducible terms of R. 


Tree Automata. |12] are a convenient way to represent regular sets of terms. A 
tree automaton is a quadruple (F, Q, Qf, A) where F is an alphabet, Q a finite 
set of states, Qy the set of final states, and A a rewriting system on FU Q. Rules 
in A, called transitions, are of the form l > q where q € Q and l is either a state 
(€ Q), or a configuration of the form f(qı1,..., qn) with fE F, q... EQ. A 
term t is recognised by a state q E€ Q if t >% q, which we also write t =% q. We 
write L(A, q) for the language of all terms recognised by q. A term t is recognised 
by A if there exists q € Qf s.t. t € L(A, q). In that case we write t € L(A). E.g., 
the tree automaton A = (F, Q, Q, A) with F = {0 : 0,s : 1}, Qf = {pair} and 
A= {0 > pair, S(qodd) > pairs 8(Gpair) =x doda; Nil > dist; COnsS(qpair, Mist) = 
dust} recognises all lists of even natural numbers. 
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An e-transition is a transition q — q’ where q € Q. A tree automaton A is 
e-free if it contains no etransitions. A is deterministic if for all terms t there is 
at most one state q such that t =% q. A is reduced if for all q there is at least 
one term t such that t >% q. 


2.2 Tree Automata Completion Algorithm 


The verification algorithm is based on tree automata completion. Given a 
program represented as a rewriting system R, and its input represented as a tree 
automaton A°, the tree automata completion algorithm computes a new tree 
automaton A* recognising the set of all reachable terms starting from a term in 
L(A). For a given R, we write this set R*(L(A)) = {t | ds € L(A),s >} th. 
It includes all intermediate computations and, in particular, the output of the 
functional program. The algorithm proceeds by computing iteratively A‘, A?,... 
such that A’t! = Cr (AŻ) until it reaches a fix-point, A*. Here, Cr (AŻ) represents 
one step of completion and is performed by searching and completing the critical 
pairs of A’. 


lo ——~>ro lo —> ro 
i i+l 

A | > A | p 
q q = 


Definition 1 (Critical pair). A critical pair is a triple (l — r,0,q) where 
l—r ER, o is a substitution, and q E Q such that lo >*,, q and ro Ay; q. 


Completing a critical pair consists in adding the necessary transitions in Att! 
to have ro >*:+ı q, and hence ro € L(A‘*1,4q). 


Example 2. Let A” be the previously defined tree automaton recognising all 
lists of even natural numbers. Let R = {s(s(x)) —> s(x)}. A? has a critical pair 
(s(s(x)) > s(x), 0, pair) With a(x) = dpair. To complete the automaton, we need 
to add transition such that s(qpair) -*41 Qpair- Since we already have the state 
doda recognising s(qpair), we only add the transition qoaa — Gpair. The formal 
definition of the completion step, including the procedure of choosing which new 
transition to introduce, can be found in [17]. 


Every completion step has the following property: 


L(A’) C L(A!) and 
sE L(A) > s >rt > te L(A!) 


It implies that, if a fix-point A* then it recognises every term of R*(L(A)). 
However it is in general impossible to compute a tree automaton recognising 
R*(L(A)) exactly, and this may cause the completion algorithm to diverge. 
Instead we shall over-approximate it by an automaton A* such that L(A*) D 
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R*(L(A)). The approximation is performed by introducing a set EF of equations 
of the form | = r where l,r € T(F, æ). From E we derive the relation =z, the 
smallest congruence such that for all equation l = r and substitution o we have 
lo =p ro. In this paper we also write E for the TRS {1 > r | l =r € E}. At 
each completion step, the algorithm simplifies the automaton by merging states 
together according to E. 


Definition 2 (Simplification Relation). Let A = (F,Q2,Q;,A) be a tree 
automaton and E be a set of equations. If s = t € E,a:X% + Q,q,q' € Q such 
that so >*, q,to =>% q' andq#q then A can be simplified into A’ = A{q'  q} 
(where q has been substitued by q), denoted by A ~g A’. 


We write Sg(A) for the unique automaton (up to renaming) A’ such that 
A ~h A’ and A’ is irreducible by ~p. One completion step is now defined by 


A+ = Sn(CR(A’)). 


S= to SO to 
ef aes ame 
q q q $ 


Example 3. This example shows how using equations can lead to approximations 
in tree automata. Let A be the tree automaton defined by the set of transitions 
A = {0 > qo, s(qo) —> qi}. This automaton recognises the two terms 0 in go and 
s(0) (also known as 1) in q. Let E = {s(x) = x} containing the equation that 
equates a number and its successor. For o = {x + 0} we have s(x)o >A qı, 
ao —> 4 qo and s(a)o =p xo. Then in Sp(.A), go and qı are merged. The resulting 
automaton has transitions {0 > qo, (qo) — qo}, which recognises N in qo. 


The idea behind the simplification is to overapproximate R*(L(A)) when it is 
not regular. It has been shown in [19] that it is possible to tune the precision 
of the approximation. For a given TRS R, initial state automaton A and set 
of equations FE, the termination of the completion algorithm is undecidable in 
general, even with the use of equations. Our contribution in this paper consists 
in finding a class of TRS/programs and equations E for which the completion 
algorithm with equations terminates. 


3 Termination of Tree Automata Completion 


In this section, we show that termination of the completion algorithm with a 
set of equations Æ is ensured under the following conditions: if (i) A* is reduced 
e-free and deterministic (written REFD in the rest of the paper) for all k; 
(ii) every term of A" can be rewritten into a term of a given language £L C 
T(F) using R (for instance if R is terminating); (iii) £ has a finite number 
of equivalence classes w.r.t Æ. Completion is known to preserve #-reduceness 
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and -determinism if E D E, U Er [19] where Er = {s = t| s >t ER} 
and E, = {f(£1,...,£n) = f(£1,.--,£n) | f E F”}. Condition (i) is ensured 
by showing that, in our verification setting, completion preserve REFD. The 
last condition is ensured by having E 2 E% where Eç is a set of contracting 
equations. 


Definition 3 (Contracting Equations). Let L C T(F). A set of equations is 
contracting for L, denoted by Eç, if all equations of E% are of the form u = ulp 
with u a linear term of T(F,X), p # A and if the set of normal forms of L w.r.t 
the TRS E% = {u > u|p | u=ulp € EG} is finite. 


Example 4. Assume that F = {0 : 0,s : 1}. The set EG = {s(x) = x} is 
contracting for L = T (F) because the set of normal forms of T (F) with respect 
to Ee = {s(x) — x} is the (finite) set {0}. The set Eż = {s(s(z)) = zx} is 
contracting because the normal forms of {s(s(x)) — x} are {0, s(0)}. 


The contracting equations ensure that the completion algorithm will merge 
enough states during the simplification steps to terminate. Note that Eż cannot 
be empty, unless £ is finite. To prove termination of completion, we first prove 
that it is possible to bound the number of states needed in A* to recognise a 
language £ by the number of normal forms of £ with respect to Ee, In our 
case £ will be the set of output terms of the program. Since A* does not only 
recognises the output terms, we need additional states to recognise intermediate 
computation terms. In the proof of Theorem 1 we show that with Er, the sim- 
plification steps will merge the states recognising the intermediate computation 
with the states recognising the outputs. If the latter set of states is finite then 
we can show that A* is finite. 


Theorem 1. Let A be an REFD tree automaton, R a left-linear TRS, E a set 
of equations and L a language closed by subterms such that for all k € N and 
for all s € Ly(A*), there exists t € L s.t. s > t. If ED E" U UEG@UER then 
the completion of A by R and E terminates with a REFD A*. 


4 A Class of Analysable Programs 


The next step is to identify a class of functional programs and a language £ 
for which Theorem 1 applies. By choosing £ = T(F) and providing a set of 
contracting equations Exp) the termination theorem above proves that the 
completion algorithm terminates on any functional program R. If this works in 
theory, in practice we want to avoid introducing equations over the application 
symbol (such as Q@(x,y) = y). Contracting equations on applications makes 
sense in certain cases, e.g., with idempotent functions (Q(sort, @(sort,x)) = 
@Q(sort, z)), but in most cases, such equations dramatically lower the precision 
of the completion algorithm. Hence, we want to identify a language £ with no 
contracting equations over @ in HF. Since such a language £ still has to have a 
finite number of normal forms w.r.t. Be (Theorem 1), it cannot include terms 
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containing an un-bounded stack of applications. For instance, £ cannot contain 
all the terms of the form @(f,x), @(f, @(f,x)), @(f, @(f, @(f, z))), etc. The @ 
stack must be bounded, even if the applications symbols are interleaved with 
other symbols (e.g. Q(f, s(Q(f, s(Q@(f, s(x))))))). To do that we (i) define a set 
B? of all terms where such stack size is bounded by d € N; (ii) define a set K” 
and a class of TRS called K-TRS such that for any TRS FR in this class, K” is 
closed by R and K” N IRR(R) C B*”) for some function @. This is done by first 
introducing a type system over the terms; (iii) finally define L = BY”) NIRR(R) 
that can be used to instantiate Theorem 1. 


Definition 4. For a given alphabet F = C U {Q}, B® is the set of terms where 
every application depth is bounded by d. It is the smallest set defined by: 
feB<efec 
ftp. tn) E Bt < f EC” Ati...tn E B’ 
@(t,,t2) E BH & t,t E€ B 
teBleateB 


In Sect.5, we show how to produce E° such that B? N IRR(R) has a finite 
number of normal forms w.r.t. Ee with no equations on @. However we don’t 
have for all k, for all term t € Lp(A*) a term s € BIN IRR(R) s.t. t > s 
in general. Theorem 1 cannot be instantiated with £L = B4 N IRR(R). Instead 
we define (i) a set K” C T(F) and ¢ such that K” N IRR(R) C BY and 
(ii) a class of TRS, called K-TRS for which L(A) C KẸ}. In K-TRS, the 
right hand sides of TRS rules are contained in a set K whose purpose is to 
forbid the construction of unbounded partial applications during rewriting. If 
the initial automaton satisfies Lo (A) C KZ then we can instantiate Theorem 1 
with L = K? N IRR(R) and prove termination. 


4.1 Types 


In order to define K and K” we require the TRS to be well-typed. Our definition 
of types is inspired by [1]. Let <& be a non-empty set of algebraic types. The set 
of types J is inductively defined as the least set containing < and all function 
types, ie. A> B € FY = A,B € J. The function type constructor — is 
assumed to be right-associative. The arity of a type A is inductively defined on 
the structure of A by: 


ar(A) =0 AEKA 
ar(A > B) =1+ar(B) =A>BETF 


Instead of using alphabets, in a typed terms environment we use signatures 
F =CU{@} where C is a set of constructor symbols associated to a unique type 
and @ the application symbol (with no type). We also assign a type to every 
variable. We write f : A if the symbol f has type Aandt: A a term t E T(F, X) 


Verifying Higher-Order Functions with Tree Automata 573 


of type A. We write W(F, X) for the set of all well typed terms using the usual 
definition. We extend the definition of term rewriting systems to typed TRS. A 
TRS is well typed if all rules are of the form 1: A — r : A (type is preserved). 
In the same way, an equation s = t is well typed if both s and t have the same 
type. In the rest of this paper we only consider well typed equations and TRSs. 


Definition 5 (Functional TRS). A higher-order functional TRS is composed 
of rules of the form 


Q(...Q(f, tı : A1)... tn: An): Arr:A 


where f : Ay > ... > An > A EC”, ti...tn E W(C, X) andr E€ W(F, æ). A 
functional TRS is complete if for all term t = Q(tı, t2) : A such that ar(A) = 0, 
it is possible to rewrite t using R. In other words, all defined functions are total. 


Types provides information about how a term can be rewritten. For instance 
we expect the term Q(f : A — B, x : A) : B to be rewritten by every complete 
(no partial function) TRS R if ar(A — B) = 1. Furthermore, for certain types, 
we can guarantee the absence of partial applications in the result of a compu- 
tation using the type’s order. For a given signature F, the order of a type A, 
written ord(A), is inductively defined on the structure of A by: 


ord( A) = maz{ord(f) | f :...— AEC} 
ord(A > B) = max{ord(A) + 1,ord(B)} 


where ord(f : Ay > ... > A, > A) = mar{ord(A;),...,ord(An)} (with, for 
A; = A, ord(A;) = 0). For instance ord(int) = 0 and ord(int > int) = 1. 


Example 5. Define two different types of lists list and list’. The first defines 
lists of int with the constructor consA : int — list — list € C, while the second 
defines lists of functions with the constructor consB : (int > int) — list’ > 
list’ € C. The importance of order becomes manifest here: in the first case a 
fully reduced term of type list cannot contain any @ whereas in the second case 
it can. ord(list) = 0 and ord(list’) = 1. 


Lemma 1. If R is a complete functional TRS and A a type such that ord(A) = 
0, then all closed terms t of type A are rewritten into an irreducible term with 
no partial application: 


Vs CIRR(R), t> s>s€ B. 


4.2 The Class K-TRS 


Recall that we want to define (i) a set K” C T(F) and ¢ such that KZ N 
IRR(R) C BY™ and (ii) a class of TRS K-TRS for which Lp(A*) C KR. 
Assuming that L> (4A) C K? we instantiate Theorem 1 with L = KR N IRR(R) 
and prove termination. p 7 
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Definition 6 (K-TRS). A TRS R is part of K-TRS if for all rulesl —> r € R, 
r EK where K is inductively defined by: 


ew: AEKe2r:AEX 
f(i,...,tn): AEK HfEeCPAt,...,mEk 
@(t}: A> B,tg:A):BEK Ht €Z,t2EKABEH (1) 
Q@(t,: A > B,t2: A): BEK & tı,t2 E K Aord(A) =0 (2) 
with Z defined by: 
teZ&tekK 


Q(t, te) EZ &t € Z, te EK 


By constraining the form of the right hand side of each rule of R, K defines a 
set of TRS that cannot construct unbounded partial applications during rewrit- 
ing. The definition of K takes advantage of the type structure and Lemma 1. 
The rules (1) and (2) ensure that an application Q(t,,t2) is either: (1) a total 
application, and the whole term can be rewritten; or (2) a partial application 
where tz can be rewritten into a term of B° (Lemma 1). In (1), Z allows partial 
applications inside the total application of a multi-parameter function. 


Example 6. Consider the classical map function. A typical call to this function 
is @(@(map, f),1) of type list, where f is a mapping function, and l a list. 
The whole term belongs to K because of rule (1): list is an algebraic type and 
its subterm @(map, f) : list — list belongs to Z. This subterm is a partial 
application, but there is no risk of stacking partial applications as it is part of a 
complete call (to the map function). 


Example 7. Consider the function stack defined by: 


@(@(stack,x),0) > x 
@(@(stack, x), S(n)) + @(Q(stack, Q(g, z)),n) 


Here g is a function of type (A — A) — A — A. The stack function returns a 
stack of partial applications whose height is equal to the input parameter: 


@(@(stack, f), S(S(S...S(0)...))) =% @(g, @(g, @(g,... @(g, f).--))) 
k k 


The depth of partial applications stacks in the output language is not bounded. 
With no equations on the @ symbol, the completion algorithm may not termi- 
nate. Notice that x is a function and @(g, x) a partial application. Hence the 
term @(@(stack,Q@(g,x)),n) is not in K, so the TRS does not belong to the 
K-TRS class. 


We define K” as {to |t E€ K, o: X= BO IRR(R)} and claim that if 
for all rule l — r of the functional TRS R, r € K and if L(A) C K” then with 
Theorem 1 we can prove that the completion of A with R terminates. The idea 
is the following: 
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— Prove that if A recognises terms of KR, then it is preserved by completion 
using the notion of K”-coherence of A. 

— Prove that K2 N IRR(R) C B”+2B A IRR(R) where B € N is a fixed upper 
bound of the arity of all the types of the program. 

— Prove that there is a finite number of normal form of B"*?? A IRR(R) w.r.t 
Es. 

— Finally, we use those three properties combined, and instantiate Theorem 1 
with £L = B"*?8 AN IRR(R) to prove Theorem 2, defined as follows. 


Theorem 2. Let A be a K"-coherent REFD tree automaton, R a terminating 
functional TRS such that for all rule l — r E€ R,r € K and E a set of equations. 
Let L = B”+*?B A IRR(R). If E = E" U EĻ U ER then the completion of A by R 
and E terminates. 


To prove that after each step of completion, the recognised language stays in 
K”, we require the considered automaton to be K”-coherent. 


Definition 7 (K"-coherence). Let L C W(F) andn €N. £L is K"-coherent if 
LOCK” V L£LCOZ"\ kK” 


By extension we say that a tree-automaton A = (F, Q, Qs, A) is K"-coherent if 
the language recognised by all states q E Q is K”-coherent. 


If K”-coherence is not preserved during completion, then some states in the 
completed automaton may recognise terms outside of KZ. Our goal is to show 
that it is preserved by Cr(-) (Lemma 2) then by Sz(-) (Lemma 3). 


Lemma 2 (Cr(A) preserves K”-coherence). Let A be a REFD tree automa- 
ton. If A is K"-coherent, then Cr(A) is K”-coherent. 


Lemma 3 (Sg(A) preserves K"-coherence). Let A be a REFD tree automa- 
ton, R a functional TRS and E a set of equations such that E = E” U Eç U ER 
with L = B+? A IRR(R). If A is K"-coherent then Sg(A) is K”-coherent. 


By using Lemmas 2 and 3, we can prove that the completion algorithm, which 
is a composition of Cr(A) and Sg(A), preserves K"-coherence. The proofs of 
these two lemmas are based on a detailed analysis of the completion algorithm 
itself. The complete proofs are provided in [17]. 


Lemma 4 (Completion preserves K"-coherence). Let A = (F, Q, Qf, A) 
be a tree automaton, R a functional TRS and E a set of equations. If E = 
E” U EĻ U ER with L = B"t?8 N IRR(R) and A is K"-coherent then for all 
k € N, A! is K"-coherent. In particular, A* is K"-coherent. 


By construction we can prove that the depth of irreducible KE terms is bounded, 
which correspond to the following lemma. 


Lemma 5. For allt: TE Kg, t:T € IRR(R) >t: T € B"+?B-arity(T), 
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4.3 Proof of Theorem 2 


Proof. According to Lemma 4, for all k € N, the completed automaton A* 
is K"-coherent. By definition this implies that L> (AF) C K2. Moreover, we 
know that IRR(R)NKZ C B"+?8 (Lemma 5). Let L = B+E AN IRR(R). R is 
terminating, so for every term s € Lo (AF) there exists t € £ such that s >% t. 
Since the number of normal form of £ is finite w.r.t E, Theorem 1 implies that 
the completion of A by R and E terminates. 


5 Equation Generation 


Theorem 2 states a number of hypotheses that must be satisfied in order to 
guarantee termination of the completion algorithm: 


— The initial automaton A must be K”-coherent and REFD. 

— R must be terminating. 

— All left-hand sides of rules of R are in the set of terms K. This is a straight- 
forward syntactic check. If it is not verified, we can reject the TRS before 
starting the completion. 

— The set of equations Æ must be of the form E UEŻUER. The equation sets E” 
and Er are determined directly from the syntactic structure of R. However, 
there is no unique suitable set of contracting equations E. This set must 
be generated carefully, because a bad choice of contracting equations (i.e., 
equations that equate too many terms) will have a severe negative impact on 
the precision of the analysis result. 


In this section, we describe a method for generating all possible sets of contract- 
ing equations 7. To simplify the presentation, we only present the case where 
L = W(C) and IRR(R) C W(C) (i.e., all results are first-order terms). Our app- 
roach looks for contracting equations for the set of closed terms W(C) instead 
of the set B"*+?? mentioned in Theorem 2. More precisely, we generate the set 
of equations iteratively, as a series of equation sets E* where the equations only 
equate terms of depth at most k. Recall that a contracting equation is of the 
form u = ulp with p Æ À, i.e., it equates a term with a strict subterm of the 
same type. A set of contracting equations over the set W(C) is then generated 
as follows: (i) generate the set of left-hand side of equations as a covering set 
of terms [25], so that for each term t € W(C) there exists a left-hand side u of 
an equation and a substitution ø such that t = uø. (ii) for each left-hand side, 
generate all possible equations of the form u = ulp, satisfying that both sides 
have the same type. (iii) from all those equations, we build all possible Æ% (with 
L = W(C)) such that the set of normal forms of W(C) w.r.t. Ee, is finite. Since 
Ee is left-linear and £ = W(C), this can be decided efficiently [11]. 


Example 8. Assume that C = {0:0,s: 1}. For k = 1, the covering set is {s(x), 0} 
and El = {{s(x) = x}}. For depth 2, the covering set is {s(s(x)), s(0),0} and 
te = Ez U {{s(s(2)) = x}, {s(s(x)) = s(x)}, {s(0) = 0}, {s(0) = 0, s(s(x)) = 
}, {s(0) = 0, s(s(x)) = s(x)}}. All equation sets of El and E? satisfy Definition 3 


and lead to different approximations. 
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To verify a property y on a program, we use completion and equation gener- 
ation as follows. The program is represented by a TRS R and function calls are 
represented by an initial tree automaton A. Both have to respect the hypothesis 
of Theorem 2. The algorithm searches for a set of contracting equations Ee such 
that verification succeeds, i.e. £(A*) satisfy p. Starting from k = 1, we apply 
the following algorithm: 


1. We first complete the tree automaton A, recognising the finite subset of L(A) 
of terms of maximum depth k. Since £(A,) is finite and R is terminating, 
the set of reachable terms is finite, completion terminates without equations 
and computes an automaton Aj recognising exactly the set R*(L(A,)) [20]. 

2. If £( Az) does not satisfy y then verification fails: a counterexample is found. 

3. Otherwise, we search for a suitable set Ee. All E. of Hy that introduce a 
counterexample in the completion of A; with R and Ee are filtered out. 

4. Then for all remaining E., we try to complete A with R and E = E UERU Ee 
and check y on the completed automaton. If y is true on A* then verification 
succeeds. Otherwise, we try the next Ee. 

5. If there remain no Ee, we start again with k =k+1. 


If there exists a set of equations Ee able to verify the program, this algorithm 
will find it eventually, or find a counter example. However if there is no set of 
equations that can verify the program, this algorithm does not terminate. 


6 Experiments 


The verification technique described above has been integrated in the Timbuk 
library [16]. We implemented the naive equation generation where all possible 
equation sets Ee are enumerated. Despite the evident scalability issues of this 
simple version of the verification algorithm, we have been able to verify a series of 
properties of several classical higher-order functions: map, filter, exists, forall, 
foldRight, foldLeft as well as higher-order sorting functions parameterised by 
an ordering function. Most examples are taken from or inspired by [26,28] and 
have corresponding TRSs in the K set defined above. The property y consists in 
checking that a finite set of forbidden terms is not reachable (Patterns section 
of Timbuk specifications). 

Given A, R and A*, the correctness of the verification, i.e. the fact that 
L(A*) 2 R*(L(A)), can be checked in a proof assistant embedding a formalisa- 
tion of rewriting and tree automata. It is enough to prove that (a) £(A*) D L(A) 
and that (b) for all critical pairs (l — r,o,q) of A* we have ro —*. q. Prop- 
erty (a) can be checked using standard algorithms on tree automata. Property (b) 
can be checked by enumerating all critical pairs of A* (there are finitely many) 
and by proving that all of them satisfy ra —%,. q. Since there exists algo- 
rithms for checking properties (a) and (b), the complete proof of correctness 
can automatically be built in the proof assistant. For instance, the automa- 
ton A* can be used as a certificate to build the correctness proof in Coq [6] 
and in Isabelle/HOL [14]. It is also used to build unreachability proofs in 
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Isabelle/HOL [14]. Besides, since verifying (a) and (b) is automatic, the cor- 
rectness proof may be run outside of the proof assistant (in a more efficient 
way) using a formally verified external checker extracted from the formalisa- 
tion. All our (successful) completion attempts output a comp.res file, containing 
A, R and A*, which has been certified automatically using the external certi- 
fied checker of [6]. Timbuk’s site http://people.irisa.fr/Thomas.Genet /timbuk/ 
funExperiments/ lists those verification experiments. Nine of them are auto- 
matically proven. Two other examples show that correct counter-examples are 
generated when the property is not provable. On one example equation gener- 
ation times out due to our naïve enumeration of equations. For this last case, 
by providing the right set of equations in mapTree2NoGen the verification of the 
function succeeds. 


7 Related Work 


When it comes to verifying first-order imperative programs, there exist sev- 
eral successful tools based on abstract interpretation such as ASTREE [3] and 
SLAM [2]. The use of abstract interpretation for verifying higher-order func- 
tional programs has comparatively received less attention. The tree automaton 
completion technique is one analysis technique able to verify first-order Java 
programs [4]. Until now, the completion algorithm was guaranteed to terminate 
only in the case of first-order functional programs [19]. 

Liquid Types [31], followed by Bounded Refinement Types [33,34], and also 
Set-Theoretic Types [8,9], are all attempts to enrich the type system of functional 
languages to prove non-trivial properties on higher-order programs. However, 
these methods are not automatic. The user has to express the property he wants 
to prove using the type system, which can be tedious and/or difficult. In some 
cases, the user even has to specify straightforward intermediate lemmas to help 
the type checker. 

The first attempt in verifying regular properties came with Jones [21] 
and Jones and Andersen [22]. Their technique computes a grammar over- 
approximating the set of states reachable by a rewriting systems. However, their 
approximation is fixed and too rough to prove programs like Example 1 (filter 
odd). Our program and property models are close to those of Jones and Andersen. 
However, the approximation in our analysis is not fixed and can be automatically 
adapted to the verification objective. 

Ong et al. proposes one way of addressing the precision issue of Jones and 
Andersen’s approach using a model checking technique on Pattern Matching 
Recursion Schemes [28] (PMRS). This technique improves the precision but is 
still not able to verify functions such as Example 1 (see [32] page 85). As shown 
in our experiments, our technique handles this example. 

Kobayashi et al. developed a tree automata-based technique [26] (but not 
relying on TRS and completion), able to verify regular properties (including 
safety properties on Example 1). We have verified a selection of examples coming 
from [26] and observed that we can verify the same regular properties as they can. 


Verifying Higher-Order Functions with Tree Automata 579 


Our prototype implementation is inferior in terms of execution time, due to the 
slow generation of equations. A strength of our approach is that our verifica- 
tion results are certifiable and that they can be used as certificates to build 
unreachability proofs in proof assistants (see Sect. 6). 

Our verification framework is based on regular abstractions and uses a sim- 
ple abstraction mechanism based on equations. Regular abstractions are less 
expressive than Higher-Order Recursion Schemes [23,29] or Collapsible Push- 
down Automata [7], and equation-based abstractions are a particular case of 
predicate abstraction [24]. However, the two restrictions imposed in this par- 
ticular framework result in two strong benefits. First, the precision of the 
approximation is formally defined and precisely controlled using equations: 
L(A*) C (R/E)*(L(A)) [20]. This precision property permits us to prove intri- 
cate properties with simple (regular) abstractions. Second, using tree automata- 
based models facilitates the certification of the verification results in a proof 
assistant. This significantly increases the confidence in the verification result 
compared e.g., to verdicts obtained by complex CEGAR-based model-checkers. 


8 Conclusion and Future Work 


This paper shows that tree automata completion is a simple yet powerful, fully 
automatic verification technique for higher-order functional programs, expressed 
as term rewriting systems. We have proved that the completion algorithm ter- 
minates on a subset of TRS encompassing common functional programs, and 
provided experimental evidence of the viability of the approach by verifying 
properties on fundamental higher-order functions including filtering and sorting. 

One remaining question is whether this approach is complete: if there exists 
a regular approximation of the reachable terms of a functional program, can we 
build it using equations? We can already answered this question in the positive 
when £ = W(C), i.e., all results are first order terms [15]. Extending this result 
to all kind of results, including higher-order ones, is a promising research topic. 

The generation of the approximating equations is automatic but simple- 
minded, and too simple to turn the prototype into a full verification tool. Further 
work will look into how sets of contracting equations can be generated in a more 
efficient manner, notably by taking the structure of the TRS into account and 
using a CEGAR approach. 

The present verification technique is agnostic to the evaluation strategy. An 
interesting research track would be to experiment completion-based verification 
techniques with different term rewriting semantics of functional programs such 
as outlined by Clemente et al. [10]. This would permit us to take a particular 
evaluation strategy into account, and in certain cases, improve the precision of 
the verification. We already experimented with this in [18]. This is in line with 
our long-term research goal of providing a light-weight verification tool to assist 
the working OCaml programmer. 

Our work focuses on verifying regular properties represented by tree 
automata. Dealing with non-regular over-approximations of reachable terms 
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would allow us to verify relational properties like comparing the length of the 
list before and after filter. This is one of the objective of techniques like [24]. 
Building non-regular over-approximations of reachable terms for TRS, using a 
form of completion, is possible [5]. However, up to now, adapting automatically 
the precision of such approximations to a given verification goal is not possible. 
Extending their approach with equations may provide a powerful verification 
tool worth pursuing. 
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